[Bug 63963] New: Please update dependency of jackson to 2.9.10.1

bugzilla Tue, 26 Nov 2019 04:00:58 -0800

https://bz.apache.org/bugzilla/show_bug.cgi?id=63963


            Bug ID: 63963
           Summary: Please update dependency of jackson to 2.9.10.1
           Product: JMeter
           Version: 5.2.1
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Main
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: JMETER_5.2

as with the last similiar tickets - Jackson Databind lib contained some new
vulnerabilities that are fixed with an update from 2.9.10 to 2.9.10.1.
I'll prepare an pull request for that.

Its been running at our systems for some days by now without problems, "gradlew
check" passes too.

Fixes:
* CVE-2019-16942 (Deserialization of Untrusted Data)
* CVE-2019-16943 (Deserialization of Untrusted Data)
* CVE-2019-17531 (Deserialization of Untrusted Data)

A mentioned before, the Jackson maintainers release patch level fixes that are
different version numbers from the main Jackson version, therefore the extra
gradle build variable for jackson databind is needed...

Thanks,
Stefan Seide

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 63963] New: Please update dependency of jackson to 2.9.10.1

Reply via email to