[jira] [Updated] (QPID-8136) [Broker-J] Upgrade Jackson dependencies

Tue, 20 Mar 2018 06:04:17 -0700 

     [ 
https://issues.apache.org/jira/browse/QPID-8136?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Keith Wall updated QPID-8136:
-----------------------------
    Status: Reviewable  (was: In Progress)

> [Broker-J] Upgrade Jackson dependencies
> ---------------------------------------
>
>                 Key: QPID-8136
>                 URL: https://issues.apache.org/jira/browse/QPID-8136
>             Project: Qpid
>          Issue Type: Improvement
>          Components: Broker-J
>            Reporter: Keith Wall
>            Assignee: Keith Wall
>            Priority: Major
>             Fix For: qpid-java-broker-7.1.0, qpid-java-6.1.6, 
> qpid-java-broker-7.0.3
>
>
> CVE-2017-7525 was recently published against the Jackson-databind component.  
>   Broker-J uses the library for the purposes of the persistence of 
> configuration and the interpreting the payloads of some network requests.   
> Whilst Apache Qpid Broker-J distributions include a version of 
> jackson-databind that is affected by the vulnerability, it is believed
>  that Apache Qpid Broker-J product itself is *NOT AFFECTED* by this 
> vulnerability.  This is because Broker-J code never enables Jackson's
>  polymorphic deserialisation features: specifically it never makes calls to 
> Object#enableDefaultTyping(...) nor does it use
>  TypeResolverBuilders or annotations that enable the feature.
> Even though it is believed the vulnerability cannot be exploited, this Jira 
> will upgrade the dependencies of Broker-J to versions of the Jackson-databind 
> that are not vulnerable to this issue:
> For:
>  * master (upgrade from 2.8.7 to 2.9.4)
>  * 7.0.x (upgrade from  2.8.7 to 2.8.11)
>  * 6.1.x (upgrade from 2.8.7 to 2.8.11)
> There is no release planned for 6.0.x.  Users are recommend to move to the 
> 7.0 line.
> Also see:
> http://mail-archives.apache.org/mod_mbox/qpid-users/201803.mbox/%3cCAFEMS4tdrS_=st85j+-xqfm8nc3avx4x0ay10jqmpynmdly...@mail.gmail.com%3e
>  



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

Reply via email to