[
https://issues.apache.org/jira/browse/QPID-8329?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alex Rudyy resolved QPID-8329.
------------------------------
Resolution: Fixed
> [Broker-J] Upgrade jackson dependencies to version 2.9.9
> --------------------------------------------------------
>
> Key: QPID-8329
> URL: https://issues.apache.org/jira/browse/QPID-8329
> Project: Qpid
> Issue Type: Improvement
> Components: Broker-J
> Reporter: Alex Rudyy
> Assignee: Alex Rudyy
> Priority: Major
>
> The CVE vulnerabilities CVE-2019-12086, CVE-2019-12384, CVE-2019-12814
> have been reported against jackson-core and jackson-databind versions 2.9.8.
> The Apache Qpid Broker-J product itself is NOT AFFECTED by these
> vulnerabilities because Broker-J code never enables Jackson's
> polymorphic deserialisation feature, specifically it never makes calls to
> ObjectMapper#enableDefaultTyping(...) nor does it use TypeResolverBuilders or
> annotations that enable the feature.
> Even though it is believed the vulnerability cannot be exploited, this Jira
> will upgrade the dependencies of Broker-J to versions of the jakson-core and
> jackson-databind that are not vulnerable to reported CVEs:
> * jakson-core 2.9.9
> * jackson-databind 2.9.9.1
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org
