Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade to official Jackson fix for preventing a DoS attack #2591

Merged
merged 1 commit into from Jan 5, 2019

Conversation

Projects
None yet
5 participants
@arteam
Copy link
Member

arteam commented Jan 5, 2019

Now Jackson automatically coerces very small and very big integers, so we can remove our custom deserializers introduced in #2511.

Upgrade to official Jackson fix for preventing a DoS attack
Now Jackson automatically coerces very small and very big integers,
so we can remove our custom deserializers.

@arteam arteam force-pushed the use-native-jackson-fix-for-parsing-big-numbers branch from 587895f to f675574 Jan 5, 2019

@jplock

jplock approved these changes Jan 5, 2019

@jplock jplock merged commit d48de96 into release/1.3.x Jan 5, 2019

5 checks passed

ci/circleci Your tests passed on CircleCI!
Details
continuous-integration/appveyor/branch AppVeyor build succeeded
Details
continuous-integration/appveyor/pr AppVeyor build succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
continuous-integration/travis-ci/push The Travis CI build passed
Details

@jplock jplock deleted the use-native-jackson-fix-for-parsing-big-numbers branch Jan 5, 2019

@joschi joschi added this to the 1.3.9 milestone Feb 3, 2019

@wurstbrot

This comment has been minimized.

Copy link

wurstbrot commented Feb 12, 2019

Hi @joschi
hi @arteam ,

thank you for including #2620 . I updated my version of dropwizard to 1.3.8, but I am still vulnerable (as the fix will come with this release). Due to the high criticality of the fixed vulnerabilities a release should be addressed soon.
When will 1.3.9 be released?

Cheers,
Timo

@msymons

This comment has been minimized.

Copy link
Contributor

msymons commented Feb 21, 2019

@joschi, per your advice in #2595 I have upgraded dropwizard to 1.3.x

Now that I have done that I am also very interested in knowing when 1.3.9 might be released.

I do have one question about 1.3.9. Will it use slf4j v1.7.26? This has been updated for the 2.0.0 branch via #2652. The reason why this matters is that v1.7.26 addresses CVE-2018-8088

I see from #2578 that this is a false positive for dropwizard. However, using 1.7.25 does give threat warnings when projects that use dropwizard are analysed.... far easier to just use 1.7.26.

(Should I log an issue/PR?)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.