Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade Jackson dependencies #15

Closed
Canos opened this issue Dec 15, 2017 · 7 comments
Closed

Upgrade Jackson dependencies #15

Canos opened this issue Dec 15, 2017 · 7 comments

Comments

@Canos
Copy link

Canos commented Dec 15, 2017
edited
Loading

Seems a great moment to try to upgrade the dependency since there's important security problems with old jacksons.
Is it possible?

FasterXML/jackson-databind#1723

Thanks in advance.
@msymons
Copy link

msymons commented Jan 23, 2018

There are multiple security issues that have been addressed in released version of Jackson. The above reference to Jackson-databind 1723 is actually not the best reference as that issue was closed as a duplicate.

What we do have are fixes for CVE-2017-7525 via:

FasterXML/jackson-databind#1599

Hence jackson:

  • 2.6.7.1
  • 2.7.9.1
  • 2.8.9
  • 2.9.0
    (but see below):

There were then later fixes, Firstly: "Blacklist couple more types for deserialization" (the CVE-2017-7525 fix was not quite complete).

FasterXML/jackson-databind#1680

Then there was "Block more JDK types from polymorphic deserialization (CVE 2017-15095)" in:

FasterXML/jackson-databind#1737

Hence, taking all the above, and reading through comments, etc, we seem to have all security fixes released in the following Jackson versions

  • 2.7.9.2
  • 2.8.10
  • 2.9.0

@teodord
Copy link
Collaborator

teodord commented Jan 26, 2018

We have upgraded to Jackson 2.9.3 in master branch and this will be part of the next release.

@teodord teodord closed this as completed Jan 26, 2018
@msymons
Copy link

msymons commented Mar 2, 2018

@teodord, I'm afraid that new CVEs have been released, explaining that the fix in Jackson 2.9.3 was incomplete - but addressed in Jackson 2.9.4:

@teodord
Copy link
Collaborator

teodord commented May 15, 2018

Upgraded to 2.9.5 now.

teodord added a commit that referenced this issue May 15, 2018
@teodord
jackson 2.9.5 upgrade (fixed gh-15)
97c136e
@juljog
Copy link

juljog commented Jan 9, 2019

Hi,

There is a jackson vulnerability https://nvd.nist.gov/vuln/detail/CVE-2018-1000873 that is addressed in 2.9.8 FasterXML/jackson-modules-java8#90

Possible to upgrade the dependency?

Thanks in advance.

@teodord
Copy link
Collaborator

teodord commented Jan 9, 2019

We upgraded to 2.9.8 on master branch and this would be part of a future release.
But I remind you that JasperReports is just a library inside your own Java application, together with many other libraries you need, including Jackson. So the versions for these libraries are pretty much your choice and responsibility, provided that they can work together. Since there is not API change from 2.9.5 to 2.9.8 in Jackson, you can upgrade on your side any time you want. The version of Jackson we include in our build should not matter for you as you include the one you prefer in your own application.

@juljog
Copy link

juljog commented Jan 9, 2019

@teodord noted with thanks

@shinurag shinurag mentioned this issue Sep 25, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@juljog @Canos @teodord @msymons