[ https://issues.apache.org/jira/browse/QPID-8136?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Keith Wall updated QPID-8136: ----------------------------- Status: Reviewable (was: In Progress) > [Broker-J] Upgrade Jackson dependencies > --------------------------------------- > > Key: QPID-8136 > URL: https://issues.apache.org/jira/browse/QPID-8136 > Project: Qpid > Issue Type: Improvement > Components: Broker-J > Reporter: Keith Wall > Assignee: Keith Wall > Priority: Major > Fix For: qpid-java-broker-7.1.0, qpid-java-6.1.6, > qpid-java-broker-7.0.3 > > > CVE-2017-7525 was recently published against the Jackson-databind component. > Broker-J uses the library for the purposes of the persistence of > configuration and the interpreting the payloads of some network requests. > Whilst Apache Qpid Broker-J distributions include a version of > jackson-databind that is affected by the vulnerability, it is believed > that Apache Qpid Broker-J product itself is *NOT AFFECTED* by this > vulnerability. This is because Broker-J code never enables Jackson's > polymorphic deserialisation features: specifically it never makes calls to > Object#enableDefaultTyping(...) nor does it use > TypeResolverBuilders or annotations that enable the feature. > Even though it is believed the vulnerability cannot be exploited, this Jira > will upgrade the dependencies of Broker-J to versions of the Jackson-databind > that are not vulnerable to this issue: > For: > * master (upgrade from 2.8.7 to 2.9.4) > * 7.0.x (upgrade from 2.8.7 to 2.8.11) > * 6.1.x (upgrade from 2.8.7 to 2.8.11) > There is no release planned for 6.0.x. Users are recommend to move to the > 7.0 line. > Also see: > http://mail-archives.apache.org/mod_mbox/qpid-users/201803.mbox/%3cCAFEMS4tdrS_=st85j+-xqfm8nc3avx4x0ay10jqmpynmdly...@mail.gmail.com%3e > -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org