This is an automated email from the ASF dual-hosted git repository.
eolivelli pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/bookkeeper.git
The following commit(s) were added to refs/heads/master by this push:
new e4a2b54 [security] Upgrade jackson-databind to get rid of
CVE-2020-36518 (#3140)
e4a2b54 is described below
commit e4a2b54240d608763e8f9acd6ffb91740dfd3f10
Author: Nicolò Boschi <[email protected]>
AuthorDate: Sun Mar 27 14:37:16 2022 +0200
[security] Upgrade jackson-databind to get rid of CVE-2020-36518 (#3140)
* [security] Upgrade jackson-databind to get rid of CVE-2020-36518
---
bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt | 2 +-
bookkeeper-dist/src/main/resources/LICENSE-bkctl.bin.txt | 2 +-
bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt | 2 +-
build.gradle | 1 +
dependencies.gradle | 3 +++
pom.xml | 7 +++++++
6 files changed, 14 insertions(+), 3 deletions(-)
diff --git a/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt
b/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt
index 730a0b6..927ccbb 100644
--- a/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt
+++ b/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt
@@ -207,7 +207,7 @@ Apache Software License, Version 2.
- lib/com.fasterxml.jackson.core-jackson-annotations-2.13.2.jar [1]
- lib/com.fasterxml.jackson.core-jackson-core-2.13.2.jar [2]
-- lib/com.fasterxml.jackson.core-jackson-databind-2.13.2.jar [3]
+- lib/com.fasterxml.jackson.core-jackson-databind-2.13.2.1.jar [3]
- lib/com.google.guava-guava-31.0.1-jre.jar [4]
- lib/com.google.guava-failureaccess-1.0.1.jar [4]
-
lib/com.google.guava-listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar
[4]
diff --git a/bookkeeper-dist/src/main/resources/LICENSE-bkctl.bin.txt
b/bookkeeper-dist/src/main/resources/LICENSE-bkctl.bin.txt
index ba06c3b..45e7c1a 100644
--- a/bookkeeper-dist/src/main/resources/LICENSE-bkctl.bin.txt
+++ b/bookkeeper-dist/src/main/resources/LICENSE-bkctl.bin.txt
@@ -207,7 +207,7 @@ Apache Software License, Version 2.
- lib/com.fasterxml.jackson.core-jackson-annotations-2.13.2.jar [1]
- lib/com.fasterxml.jackson.core-jackson-core-2.13.2.jar [2]
-- lib/com.fasterxml.jackson.core-jackson-databind-2.13.2.jar [3]
+- lib/com.fasterxml.jackson.core-jackson-databind-2.13.2.1.jar [3]
- lib/com.google.guava-guava-31.0.1-jre.jar [4]
- lib/com.google.guava-failureaccess-1.0.1.jar [4]
-
lib/com.google.guava-listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar
[4]
diff --git a/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt
b/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt
index 751d6c8..4abfbc2 100644
--- a/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt
+++ b/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt
@@ -207,7 +207,7 @@ Apache Software License, Version 2.
- lib/com.fasterxml.jackson.core-jackson-annotations-2.13.2.jar [1]
- lib/com.fasterxml.jackson.core-jackson-core-2.13.2.jar [2]
-- lib/com.fasterxml.jackson.core-jackson-databind-2.13.2.jar [3]
+- lib/com.fasterxml.jackson.core-jackson-databind-2.13.2.1.jar [3]
- lib/com.google.guava-guava-31.0.1-jre.jar [4]
- lib/com.google.guava-failureaccess-1.0.1.jar [4]
-
lib/com.google.guava-listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar
[4]
diff --git a/build.gradle b/build.gradle
index 86f1f39..e30c984 100644
--- a/build.gradle
+++ b/build.gradle
@@ -309,6 +309,7 @@ allprojects {
dependencies {
implementation(enforcedPlatform(depLibs.nettyBom))
testImplementation depLibs.log4jSlf4jImpl
+ implementation(enforcedPlatform(depLibs.jacksonBom))
}
dependencies {
diff --git a/dependencies.gradle b/dependencies.gradle
index b15a4ac..4b6837e 100644
--- a/dependencies.gradle
+++ b/dependencies.gradle
@@ -50,6 +50,8 @@ depVersions = [
hdrhistogram: "2.1.10",
httpclient: "4.5.13",
jackson: "2.13.2",
+ jacksonBom: "2.13.2.20220324",
+ jacksonDatabind: "2.13.2.1",
javaxServlet: "4.0.0",
javaAnnotations:"1.3.2",
jcommander: "1.78",
@@ -151,6 +153,7 @@ depLibs = [
},
jacksonAnnotations:
"com.fasterxml.jackson.core:jackson-annotations:${depVersions.jackson}",
javaAnnotations:
"javax.annotation:javax.annotation-api:${depVersions.javaAnnotations}",
+ jacksonBom: "com.fasterxml.jackson:jackson-bom:${depVersions.jacksonBom}",
jacksonCore:
"com.fasterxml.jackson.core:jackson-core:${depVersions.jackson}",
jacksonDatabind:
"com.fasterxml.jackson.core:jackson-databind:${depVersions.jackson}",
javaxServlet:
"javax.servlet:javax.servlet-api:${depVersions.javaxServlet}",
diff --git a/pom.xml b/pom.xml
index 654a387..7a01a6f 100644
--- a/pom.xml
+++ b/pom.xml
@@ -137,6 +137,7 @@
<hamcrest.version>1.3</hamcrest.version>
<hdrhistogram.version>2.1.10</hdrhistogram.version>
<jackson.version>2.13.2</jackson.version>
+ <jackson-databind.version>2.13.2.1</jackson-databind.version>
<jcommander.version>1.78</jcommander.version>
<jetty.version>9.4.43.v20210629</jetty.version>
<jmh.version>1.19</jmh.version>
@@ -349,6 +350,12 @@
<type>pom</type>
<scope>import</scope>
</dependency>
+
+ <dependency>
+ <groupId>com.fasterxml.jackson.core</groupId>
+ <artifactId>jackson-databind</artifactId>
+ <version>${jackson-databind.version}</version>
+ </dependency>
<dependency>
<groupId>javax.servlet</groupId>
<artifactId>javax.servlet-api</artifactId>
