[security] Upgrade jackson-databind to get rid of CVE-2020-36518 (#3140)

* [security] Upgrade jackson-databind to get rid of CVE-2020-36518

bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt

@@ -207,7 +207,7 @@ Apache Software License, Version 2.
 
 - lib/com.fasterxml.jackson.core-jackson-annotations-2.13.2.jar [1]
 - lib/com.fasterxml.jackson.core-jackson-core-2.13.2.jar [2]
-- lib/com.fasterxml.jackson.core-jackson-databind-2.13.2.jar [3]
+- lib/com.fasterxml.jackson.core-jackson-databind-2.13.2.1.jar [3]
 - lib/com.google.guava-guava-31.0.1-jre.jar [4]
 - lib/com.google.guava-failureaccess-1.0.1.jar [4]
 - lib/com.google.guava-listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar [4]

bookkeeper-dist/src/main/resources/LICENSE-bkctl.bin.txt

@@ -207,7 +207,7 @@ Apache Software License, Version 2.
 
 - lib/com.fasterxml.jackson.core-jackson-annotations-2.13.2.jar [1]
 - lib/com.fasterxml.jackson.core-jackson-core-2.13.2.jar [2]
-- lib/com.fasterxml.jackson.core-jackson-databind-2.13.2.jar [3]
+- lib/com.fasterxml.jackson.core-jackson-databind-2.13.2.1.jar [3]
 - lib/com.google.guava-guava-31.0.1-jre.jar [4]
 - lib/com.google.guava-failureaccess-1.0.1.jar [4]
 - lib/com.google.guava-listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar [4]

bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt

@@ -207,7 +207,7 @@ Apache Software License, Version 2.
 
 - lib/com.fasterxml.jackson.core-jackson-annotations-2.13.2.jar [1]
 - lib/com.fasterxml.jackson.core-jackson-core-2.13.2.jar [2]
-- lib/com.fasterxml.jackson.core-jackson-databind-2.13.2.jar [3]
+- lib/com.fasterxml.jackson.core-jackson-databind-2.13.2.1.jar [3]
 - lib/com.google.guava-guava-31.0.1-jre.jar [4]
 - lib/com.google.guava-failureaccess-1.0.1.jar [4]
 - lib/com.google.guava-listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar [4]

build.gradle

@@ -309,6 +309,7 @@ allprojects {
         dependencies {
             implementation(enforcedPlatform(depLibs.nettyBom))
             testImplementation depLibs.log4jSlf4jImpl
+            implementation(enforcedPlatform(depLibs.jacksonBom))
         }
 
         dependencies {

dependencies.gradle

@@ -50,6 +50,8 @@ depVersions = [
     hdrhistogram: "2.1.10",
     httpclient: "4.5.13",
     jackson: "2.13.2",
+    jacksonBom: "2.13.2.20220324",
+    jacksonDatabind: "2.13.2.1",
     javaxServlet: "4.0.0",
     javaAnnotations:"1.3.2",
     jcommander: "1.78",
@@ -151,6 +153,7 @@ depLibs = [
     },
     jacksonAnnotations: "com.fasterxml.jackson.core:jackson-annotations:${depVersions.jackson}",
     javaAnnotations: "javax.annotation:javax.annotation-api:${depVersions.javaAnnotations}",
+    jacksonBom: "com.fasterxml.jackson:jackson-bom:${depVersions.jacksonBom}",
     jacksonCore: "com.fasterxml.jackson.core:jackson-core:${depVersions.jackson}",
     jacksonDatabind: "com.fasterxml.jackson.core:jackson-databind:${depVersions.jackson}",
     javaxServlet: "javax.servlet:javax.servlet-api:${depVersions.javaxServlet}",

pom.xml

@@ -137,6 +137,7 @@
     <hamcrest.version>1.3</hamcrest.version>
     <hdrhistogram.version>2.1.10</hdrhistogram.version>
     <jackson.version>2.13.2</jackson.version>
+    <jackson-databind.version>2.13.2.1</jackson-databind.version>
     <jcommander.version>1.78</jcommander.version>
     <jetty.version>9.4.43.v20210629</jetty.version>
     <jmh.version>1.19</jmh.version>
@@ -349,6 +350,12 @@
         <type>pom</type>
         <scope>import</scope>
       </dependency>
+
+      <dependency>
+        <groupId>com.fasterxml.jackson.core</groupId>
+        <artifactId>jackson-databind</artifactId>
+        <version>${jackson-databind.version}</version>
+      </dependency>
       <dependency>
         <groupId>javax.servlet</groupId>
         <artifactId>javax.servlet-api</artifactId>