This is an automated email from the ASF dual-hosted git repository.
abhishek pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/druid.git
The following commit(s) were added to refs/heads/master by this push:
new 7467d2c00d5 Upgrade Jackson and Google GSON to address CVEs (#15461)
7467d2c00d5 is described below
commit 7467d2c00d56793a03844252e43aaf5b631856b9
Author: Keerthana Srikanth <[email protected]>
AuthorDate: Thu Nov 30 15:31:26 2023 +0530
Upgrade Jackson and Google GSON to address CVEs (#15461)
Upgrade Jackson to version 2.12.7.1 to address CVE-2022-42003,
CVE-2022-42004 which affects jackson-databind.
Upgrade com.google.code.gson:gson from 2.2.4 to the latest version (2.10.1)
since 2.2.4 is affected by CVE-2022-25647.
---
licenses.yaml | 4 ++--
owasp-dependency-check-suppressions.xml | 16 ----------------
pom.xml | 4 ++--
3 files changed, 4 insertions(+), 20 deletions(-)
diff --git a/licenses.yaml b/licenses.yaml
index ea5c8ede0ee..6724c28add7 100644
--- a/licenses.yaml
+++ b/licenses.yaml
@@ -289,7 +289,7 @@ name: Jackson
license_category: binary
module: java-core
license_name: Apache License version 2.0
-version: 2.12.7
+version: 2.12.7.1
libraries:
- com.fasterxml.jackson.core: jackson-databind
notice: |
@@ -2500,7 +2500,7 @@ name: Gson
license_category: binary
module: hadoop-client
license_name: Apache License version 2.0
-version: 2.2.4
+version: 2.10.1
libraries:
- com.google.code.gson: gson
diff --git a/owasp-dependency-check-suppressions.xml
b/owasp-dependency-check-suppressions.xml
index ab0f57c05b0..b4be731ec05 100644
--- a/owasp-dependency-check-suppressions.xml
+++ b/owasp-dependency-check-suppressions.xml
@@ -71,22 +71,6 @@
<cve>CVE-2022-45688</cve>
</suppress>
- <suppress>
- <!--
- the suppressions here aren't currently applicable, but can be resolved
once we update the version
- -->
- <notes><![CDATA[
- file name: jackson-databind-2.10.5.1.jar
- ]]></notes>
- <packageUrl
regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
- <!-- CVE-2022-42003 and CVE-2022-42004 are related to
UNWRAP_SINGLE_VALUE_ARRAYS which we do not use
- https://nvd.nist.gov/vuln/detail/CVE-2022-42003
- https://nvd.nist.gov/vuln/detail/CVE-2022-42004
- -->
- <cve>CVE-2022-42003</cve>
- <cve>CVE-2022-42004</cve>
- </suppress>
-
<suppress>
<!-- Pulled in by io.kubernetes:client-java and kafka_2.13 but not fixed
in either place yet -->
<!-- jose4j before v0.9.3 allows attackers to set a low iteration count of
1000 or less -->
diff --git a/pom.xml b/pom.xml
index 652011e3897..a62d44a4584 100644
--- a/pom.xml
+++ b/pom.xml
@@ -78,7 +78,7 @@
<apache.curator.version>5.5.0</apache.curator.version>
<apache.kafka.version>3.6.0</apache.kafka.version>
<apache.ranger.version>2.4.0</apache.ranger.version>
- <apache.ranger.gson.version>2.2.4</apache.ranger.gson.version>
+ <apache.ranger.gson.version>2.10.1</apache.ranger.gson.version>
<scala.library.version>2.13.11</scala.library.version>
<avatica.version>1.23.0</avatica.version>
<avro.version>1.11.3</avro.version>
@@ -98,7 +98,7 @@
<hamcrest.version>1.3</hamcrest.version>
<jetty.version>9.4.53.v20231009</jetty.version>
<jersey.version>1.19.4</jersey.version>
- <jackson.version>2.12.7</jackson.version>
+ <jackson.version>2.12.7.20221012</jackson.version>
<codehaus.jackson.version>1.9.13</codehaus.jackson.version>
<log4j.version>2.18.0</log4j.version>
<mysql.version>5.1.49</mysql.version>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
