New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update jackson-databind version; resolves #279. #280

Merged
merged 1 commit into from Oct 16, 2018

Conversation

Projects
None yet
3 participants
@ruebot
Member

ruebot commented Oct 16, 2018

GitHub issue(s): #279

What does this Pull Request do?

Update jackson-databind version for CVE-2017-752.

How should this be tested?

  • TravisCI should pass

@ruebot ruebot requested review from lintool and ianmilligan1 Oct 16, 2018

@ruebot

This comment has been minimized.

Show comment
Hide comment
@ruebot

ruebot Oct 16, 2018

Member

We got a notice for 2.8.11.1 as well, but I'm not seeing it in our pom.xml or here:

[nruest@wombat:aut] (git)-[issue-279]-$ mvn dependency:tree | grep databind
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.8.9:compile
Member

ruebot commented Oct 16, 2018

We got a notice for 2.8.11.1 as well, but I'm not seeing it in our pom.xml or here:

[nruest@wombat:aut] (git)-[issue-279]-$ mvn dependency:tree | grep databind
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.8.9:compile
@codecov-io

This comment has been minimized.

Show comment
Hide comment
@codecov-io

codecov-io Oct 16, 2018

Codecov Report

Merging #280 into master will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff           @@
##           master     #280   +/-   ##
=======================================
  Coverage   70.36%   70.36%           
=======================================
  Files          41       41           
  Lines        1046     1046           
  Branches      192      192           
=======================================
  Hits          736      736           
  Misses        244      244           
  Partials       66       66

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f19dc9a...a9b14a4. Read the comment docs.

codecov-io commented Oct 16, 2018

Codecov Report

Merging #280 into master will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff           @@
##           master     #280   +/-   ##
=======================================
  Coverage   70.36%   70.36%           
=======================================
  Files          41       41           
  Lines        1046     1046           
  Branches      192      192           
=======================================
  Hits          736      736           
  Misses        244      244           
  Partials       66       66

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update f19dc9a...a9b14a4. Read the comment docs.

@ianmilligan1

This comment has been minimized.

Show comment
Hide comment
@ianmilligan1

ianmilligan1 Oct 16, 2018

Member

If this looks good to you as well @lintool I can merge?

Member

ianmilligan1 commented Oct 16, 2018

If this looks good to you as well @lintool I can merge?

@ianmilligan1 ianmilligan1 merged commit 72cb5e2 into archivesunleashed:master Oct 16, 2018

3 checks passed

codecov/patch Coverage not affected when comparing f19dc9a...a9b14a4
Details
codecov/project 70.36% remains the same compared to f19dc9a
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

@ruebot ruebot deleted the ruebot:issue-279 branch Oct 16, 2018

@ruebot

This comment has been minimized.

Show comment
Hide comment
@ruebot

ruebot Oct 16, 2018

Member

Looks like there was a third follow-up to this alert. 2.8.9 is bad too.

FasterXML jackson-databind before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

I'll update again

Member

ruebot commented Oct 16, 2018

Looks like there was a third follow-up to this alert. 2.8.9 is bad too.

FasterXML jackson-databind before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

I'll update again

@ruebot ruebot referenced this pull request Oct 16, 2018

Open

CVE-2018-7489 fix. #281

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment