New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update jackson version to 2.9.6. Fixes #2392 #2393

Merged
merged 1 commit into from Jun 14, 2018

Conversation

Projects
None yet
4 participants
@jmoney8080
Contributor

jmoney8080 commented Jun 14, 2018

Jackson patched a 2.9.6 version with some security fixes.

Problem:

Jackson 2.9.5 contains the following CVEs

  • CVE-2018-12022
  • CVE-2018-12023
Solution:

Upgrade to jackson 2.9.6 which contains patches for both of these CVEs

Result:

CVEs are patched

Update jackson version to 2.9.6. Fixes #2392
Jackson patched a 2.9.6 version with some security fixes.
@jmoney8080

This comment has been minimized.

Contributor

jmoney8080 commented Jun 14, 2018

What is the process of porting this down into at least 1.3.x? Just cherry-pick into the 1.3.x branch and open another PR?

@nickbabcock

This comment has been minimized.

Contributor

nickbabcock commented Jun 14, 2018

Good question, we've done it before where master represents the next patch release (eg. 1.3.x), but idk if that is the plan -- @arteam will have to weigh in. Also the latest two releases (1.2.x and 1.3.x) have tended to receive CVE patches, but I can't confirm that this will be the case here.

@joschi

This comment has been minimized.

Member

joschi commented Jun 14, 2018

@jmoney8080 Yes, we'll cherry-pick the commit from master into release/1.3.x.

@joschi

joschi approved these changes Jun 14, 2018

@joschi joschi merged commit 7d99e0f into dropwizard:master Jun 14, 2018

3 checks passed

ci/circleci Your tests passed on CircleCI!
Details
continuous-integration/appveyor/pr AppVeyor build succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

@joschi joschi self-assigned this Jun 14, 2018

@joschi joschi added the security label Jun 14, 2018

joschi added a commit that referenced this pull request Jun 14, 2018

Upgrade to Jackson 2.9.6 (#2393)
See https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.6

This includes fixes for CVE-2018-12022 and CVE-2018-12023.

Fixes #2392

(cherry picked from commit 7d99e0f)

joschi added a commit that referenced this pull request Jun 14, 2018

Upgrade to Jackson 2.9.6 (#2393)
See https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.6

This includes fixes for CVE-2018-12022 and CVE-2018-12023.

Fixes #2392

(cherry picked from commit 7d99e0f)

@jplock jplock added this to the 1.4.0 milestone Jun 15, 2018

@jplock jplock modified the milestones: 1.4.0, 2.0.0 Jun 22, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment