[ https://issues.apache.org/jira/browse/QPID-8329?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Alex Rudyy resolved QPID-8329. ------------------------------ Resolution: Fixed > [Broker-J] Upgrade jackson dependencies to version 2.9.9 > -------------------------------------------------------- > > Key: QPID-8329 > URL: https://issues.apache.org/jira/browse/QPID-8329 > Project: Qpid > Issue Type: Improvement > Components: Broker-J > Reporter: Alex Rudyy > Assignee: Alex Rudyy > Priority: Major > > The CVE vulnerabilities CVE-2019-12086, CVE-2019-12384, CVE-2019-12814 > have been reported against jackson-core and jackson-databind versions 2.9.8. > The Apache Qpid Broker-J product itself is NOT AFFECTED by these > vulnerabilities because Broker-J code never enables Jackson's > polymorphic deserialisation feature, specifically it never makes calls to > ObjectMapper#enableDefaultTyping(...) nor does it use TypeResolverBuilders or > annotations that enable the feature. > Even though it is believed the vulnerability cannot be exploited, this Jira > will upgrade the dependencies of Broker-J to versions of the jakson-core and > jackson-databind that are not vulnerable to reported CVEs: > * jakson-core 2.9.9 > * jackson-databind 2.9.9.1 -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org