Skip to content
Permalink
Browse files
[security] Upgrade jackson-databind to get rid of CVE-2020-36518 (#3140)
* [security] Upgrade jackson-databind to get rid of CVE-2020-36518
  • Loading branch information
nicoloboschi committed Mar 27, 2022
1 parent a75b48b commit e4a2b54240d608763e8f9acd6ffb91740dfd3f10
Showing 6 changed files with 14 additions and 3 deletions.
@@ -207,7 +207,7 @@ Apache Software License, Version 2.

- lib/com.fasterxml.jackson.core-jackson-annotations-2.13.2.jar [1]
- lib/com.fasterxml.jackson.core-jackson-core-2.13.2.jar [2]
- lib/com.fasterxml.jackson.core-jackson-databind-2.13.2.jar [3]
- lib/com.fasterxml.jackson.core-jackson-databind-2.13.2.1.jar [3]
- lib/com.google.guava-guava-31.0.1-jre.jar [4]
- lib/com.google.guava-failureaccess-1.0.1.jar [4]
- lib/com.google.guava-listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar [4]
@@ -207,7 +207,7 @@ Apache Software License, Version 2.

- lib/com.fasterxml.jackson.core-jackson-annotations-2.13.2.jar [1]
- lib/com.fasterxml.jackson.core-jackson-core-2.13.2.jar [2]
- lib/com.fasterxml.jackson.core-jackson-databind-2.13.2.jar [3]
- lib/com.fasterxml.jackson.core-jackson-databind-2.13.2.1.jar [3]
- lib/com.google.guava-guava-31.0.1-jre.jar [4]
- lib/com.google.guava-failureaccess-1.0.1.jar [4]
- lib/com.google.guava-listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar [4]
@@ -207,7 +207,7 @@ Apache Software License, Version 2.

- lib/com.fasterxml.jackson.core-jackson-annotations-2.13.2.jar [1]
- lib/com.fasterxml.jackson.core-jackson-core-2.13.2.jar [2]
- lib/com.fasterxml.jackson.core-jackson-databind-2.13.2.jar [3]
- lib/com.fasterxml.jackson.core-jackson-databind-2.13.2.1.jar [3]
- lib/com.google.guava-guava-31.0.1-jre.jar [4]
- lib/com.google.guava-failureaccess-1.0.1.jar [4]
- lib/com.google.guava-listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar [4]
@@ -309,6 +309,7 @@ allprojects {
dependencies {
implementation(enforcedPlatform(depLibs.nettyBom))
testImplementation depLibs.log4jSlf4jImpl
implementation(enforcedPlatform(depLibs.jacksonBom))
}

dependencies {
@@ -50,6 +50,8 @@ depVersions = [
hdrhistogram: "2.1.10",
httpclient: "4.5.13",
jackson: "2.13.2",
jacksonBom: "2.13.2.20220324",
jacksonDatabind: "2.13.2.1",
javaxServlet: "4.0.0",
javaAnnotations:"1.3.2",
jcommander: "1.78",
@@ -151,6 +153,7 @@ depLibs = [
},
jacksonAnnotations: "com.fasterxml.jackson.core:jackson-annotations:${depVersions.jackson}",
javaAnnotations: "javax.annotation:javax.annotation-api:${depVersions.javaAnnotations}",
jacksonBom: "com.fasterxml.jackson:jackson-bom:${depVersions.jacksonBom}",
jacksonCore: "com.fasterxml.jackson.core:jackson-core:${depVersions.jackson}",
jacksonDatabind: "com.fasterxml.jackson.core:jackson-databind:${depVersions.jackson}",
javaxServlet: "javax.servlet:javax.servlet-api:${depVersions.javaxServlet}",
@@ -137,6 +137,7 @@
<hamcrest.version>1.3</hamcrest.version>
<hdrhistogram.version>2.1.10</hdrhistogram.version>
<jackson.version>2.13.2</jackson.version>
<jackson-databind.version>2.13.2.1</jackson-databind.version>
<jcommander.version>1.78</jcommander.version>
<jetty.version>9.4.43.v20210629</jetty.version>
<jmh.version>1.19</jmh.version>
@@ -349,6 +350,12 @@
<type>pom</type>
<scope>import</scope>
</dependency>

<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>${jackson-databind.version}</version>
</dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>

0 comments on commit e4a2b54

Please sign in to comment.