[pulsar] branch branch-2.9 updated: [fix][sec] Upgrade jackson-databind to 2.13.4.2 to get rid of CVE-2022-42003 (#18394)

Thu, 10 Nov 2022 08:25:45 -0800 

This is an automated email from the ASF dual-hosted git repository.

nicoloboschi pushed a commit to branch branch-2.9
in repository https://gitbox.apache.org/repos/asf/pulsar.git


The following commit(s) were added to refs/heads/branch-2.9 by this push:
     new e12642afb85 [fix][sec] Upgrade jackson-databind to 2.13.4.2 to get rid 
of CVE-2022-42003 (#18394)
e12642afb85 is described below

commit e12642afb8560ffcdfe2ccba942ea87730c18232
Author: Nicolò Boschi <[email protected]>
AuthorDate: Thu Nov 10 16:53:42 2022 +0100

    [fix][sec] Upgrade jackson-databind to 2.13.4.2 to get rid of 
CVE-2022-42003 (#18394)
    
    * [fix][sec] Upgrade jackson-databind to 2.13.4.2 to get rid of 
CVE-2022-42003
    
    * Fix IO jackson dependencies
    
    * Fix IO http
    
    * revert unrelated change
    
    (cherry picked from commit da64346de46638aadcaec43fe530dfe9e8a97141)
    (cherry picked from commit 5da0d4b0b07826310934d2ba845165e3c899bda0)
---
 distribution/server/src/assemble/LICENSE.bin.txt | 2 +-
 pom.xml                                          | 2 +-
 pulsar-io/dynamodb/pom.xml                       | 1 -
 pulsar-io/kinesis/pom.xml                        | 1 -
 pulsar-sql/presto-distribution/LICENSE           | 2 +-
 pulsar-sql/presto-distribution/pom.xml           | 4 ----
 6 files changed, 3 insertions(+), 9 deletions(-)

diff --git a/distribution/server/src/assemble/LICENSE.bin.txt 
b/distribution/server/src/assemble/LICENSE.bin.txt
index 5296c800283..47ace433318 100644
--- a/distribution/server/src/assemble/LICENSE.bin.txt
+++ b/distribution/server/src/assemble/LICENSE.bin.txt
@@ -314,7 +314,7 @@ The Apache Software License, Version 2.0
  * Jackson
      - com.fasterxml.jackson.core-jackson-annotations-2.13.4.jar
      - com.fasterxml.jackson.core-jackson-core-2.13.4.jar
-     - com.fasterxml.jackson.core-jackson-databind-2.13.4.jar
+     - com.fasterxml.jackson.core-jackson-databind-2.13.4.2.jar
      - com.fasterxml.jackson.dataformat-jackson-dataformat-yaml-2.13.4.jar
      - com.fasterxml.jackson.jaxrs-jackson-jaxrs-base-2.13.4.jar
      - com.fasterxml.jackson.jaxrs-jackson-jaxrs-json-provider-2.13.4.jar
diff --git a/pom.xml b/pom.xml
index f082a5e88eb..934987b09e5 100644
--- a/pom.xml
+++ b/pom.xml
@@ -123,7 +123,7 @@ flexible messaging model and an intuitive client 
API.</description>
     <log4j2.version>2.18.0</log4j2.version>
     <bouncycastle.version>1.69</bouncycastle.version>
     <bouncycastlefips.version>1.0.2</bouncycastlefips.version>
-    <jackson.version>2.13.4</jackson.version>
+    <jackson.version>2.13.4.20221013</jackson.version>
     <reflections.version>0.9.11</reflections.version>
     <swagger.version>1.6.2</swagger.version>
     <puppycrawl.checkstyle.version>8.37</puppycrawl.checkstyle.version>
diff --git a/pulsar-io/dynamodb/pom.xml b/pulsar-io/dynamodb/pom.xml
index 67d4450ff27..6aa21201c01 100644
--- a/pulsar-io/dynamodb/pom.xml
+++ b/pulsar-io/dynamodb/pom.xml
@@ -70,7 +70,6 @@
     <dependency>
       <groupId>com.fasterxml.jackson.dataformat</groupId>
       <artifactId>jackson-dataformat-cbor</artifactId>
-      <version>${jackson.version}</version>
     </dependency>
 
     <dependency>
diff --git a/pulsar-io/kinesis/pom.xml b/pulsar-io/kinesis/pom.xml
index c2d4048c6ed..9aabc61f9f2 100644
--- a/pulsar-io/kinesis/pom.xml
+++ b/pulsar-io/kinesis/pom.xml
@@ -75,7 +75,6 @@
     <dependency>
       <groupId>com.fasterxml.jackson.dataformat</groupId>
       <artifactId>jackson-dataformat-cbor</artifactId>
-      <version>${jackson.version}</version>
     </dependency>
 
     <dependency>
diff --git a/pulsar-sql/presto-distribution/LICENSE 
b/pulsar-sql/presto-distribution/LICENSE
index 39ff98aff3b..bf6157dcc76 100644
--- a/pulsar-sql/presto-distribution/LICENSE
+++ b/pulsar-sql/presto-distribution/LICENSE
@@ -209,7 +209,7 @@ The Apache Software License, Version 2.0
   * Jackson
     - jackson-annotations-2.13.4.jar
     - jackson-core-2.13.4.jar
-    - jackson-databind-2.13.4.jar
+    - jackson-databind-2.13.4.2.jar
     - jackson-dataformat-smile-2.13.4.jar
     - jackson-datatype-guava-2.13.4.jar
     - jackson-datatype-jdk8-2.13.4.jar
diff --git a/pulsar-sql/presto-distribution/pom.xml 
b/pulsar-sql/presto-distribution/pom.xml
index b1b3d4281d4..fb48bdfe372 100644
--- a/pulsar-sql/presto-distribution/pom.xml
+++ b/pulsar-sql/presto-distribution/pom.xml
@@ -38,10 +38,6 @@
     <airlift.version>0.170</airlift.version>
     <objenesis.version>2.6</objenesis.version>
     <objectsize.version>0.0.12</objectsize.version>
-    <jackson.version>2.13.2</jackson.version>
-    <!--fix Security Vulnerabilities-->
-    
<!--https://www.cvedetails.com/vulnerability-list/vendor_id-15866/product_id-42991/Fasterxml-Jackson-databind.html-->
-    <jackson.databind.version>2.13.2.1</jackson.databind.version>
     <maven.version>3.0.5</maven.version>
     <guava.version>30.1-jre</guava.version>
     <asynchttpclient.version>2.12.1</asynchttpclient.version>

Reply via email to