Alex Rudyy created QPID-8279:

             Summary: [Broker-J] Upgrade Jackson dependencies
                 Key: QPID-8279
             Project: Qpid
          Issue Type: Improvement
          Components: Broker-J
    Affects Versions: qpid-java-broker-7.0.6, qpid-java-broker-7.0.5, 
qpid-java-broker-7.0.4, qpid-java-broker-7.1.0, qpid-java-broker-7.0.1, 
qpid-java-broker-7.0.0, qpid-java-broker-7.0.2, qpid-java-broker-7.0.3
            Reporter: Alex Rudyy
             Fix For: qpid-java-broker-7.0.7, qpid-java-broker-8.0.0, 

The CVE vulnerabilities 
[CVE-2018-14721|] have been 
reported against jackson-databind library 2.x versions below 2.9.7.

Whilst Apache Qpid Broker-J distributions include a version of jackson-databind 
that is affected by the vulnerability, it is believed that Apache Qpid Broker-J 
product itself is NOT AFFECTED by this vulnerability.  This is because Broker-J 
code never enables Jackson's
polymorphic deserialisation features: specifically it never makes calls to 
ObjectMapper#enableDefaultTyping(...) nor does it use TypeResolverBuilders or 
annotations that enable the feature.

Though Apache Qpid Broker-J is not affected by the vulnerabilities, this JIRA 
will upgrade the dependencies of Broker-J to versions of the jackson-databind 
dependencies that are not vulnerable:
 * master (upgrade from 2.9.5 to 2.9.8)
 * 7.1.x (upgrade from  2.9.5 to 2.9.8)
 * 7.0.x (upgrade from to

Please note that no upgrade of jackson-databind dependencies will be done for 
6.0.x and 6.1.x versions. The 6.0.x and 6.1.x brokers can be upgraded to 7.1.x.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

Reply via email to