Alex Rudyy created QPID-8329:
--------------------------------
Summary: [Broker-J] Upgrade jackson dependencies to version 2.9.9
Key: QPID-8329
URL: https://issues.apache.org/jira/browse/QPID-8329
Project: Qpid
Issue Type: Improvement
Components: Broker-J
Reporter: Alex Rudyy
Fix For: qpid-java-broker-8.0.0
The CVE vulnerabilities CVE-2019-12086, CVE-2019-12384, CVE-2019-12814
have been reported against jackson-core and jackson-databind versions 2.9.8.
The Apache Qpid Broker-J product itself is NOT AFFECTED by these
vulnerabilities because Broker-J code never enables Jackson's
polymorphic deserialisation feature, specifically it never makes calls to
ObjectMapper#enableDefaultTyping(...) nor does it use TypeResolverBuilders or
annotations that enable the feature.
Even though it is believed the vulnerability cannot be exploited, this Jira
will upgrade the dependencies of Broker-J to versions of the jakson-core and
jackson-databind that are not vulnerable to reported CVEs:
* jakson-core 2.9.9
* jackson-databind 2.9.9.1
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
