Play Framework
Replies: 3 comments 4 replies
-
|
Hello, I would like to ask please, would adding this:
regards |
Beta Was this translation helpful? Give feedback.
-
|
Actually it isn't enough. you can check with running but not |
Beta Was this translation helpful? Give feedback.
-
|
I think the advice contains typo. The word |
Beta Was this translation helpful? Give feedback.
-
|
libraryDependencies is the weaker form of an dependency override. If a dependency in your project pulls Jackson 2.13, you have a libraryDependency with Jackson 2.14… SBT should pick the 2.14, as it is the latest revision - with default conflict management. But: In case of Jackson, all modules must be defined via libraryDependencies. https://www.scala-sbt.org/1.x/docs/Library-Management.html#Conflict+Management If a dependency pulls a higher revision than the one you defined via libraryDependencies, you must override with dependencyOverride. Thus, if you have via libraryDependencies 2.14 and have e.g. logstash-logback-encoder in v7.4 which pulls 2.15… You will get 2.15 with the default conflict management as it is the highest revision. With dependencyOverride SBT will forcefully override the version, performing an downgrade to 2.14 - despite logstash-logback-encoder pulling in the newer revision 2.15. |
Beta Was this translation helpful? Give feedback.
-
|
We just came across Just to check Play's policy on Jackson updates, Play can only make 'patch' version upgrades on Jackson while maintaining the same Play 'major.minor' release version, is that right? So the first version of Play that could contain Jackson 2.15 would be Play 3.1, given that Play is on v3.0.5 (and Jackson 2.14.3) at the moment? Related PRs (with some challenges due to failing tests): |
Beta Was this translation helpful? Give feedback.
-
There will never be a CVE because this "issue" is not a 'high' vulnerability.
This is not correct. If you look closer, the report was published on 8 Dec 2022 already, it's nothing new. If you look at the discussion in the jackson repo (FasterXML/jackson-core#861) you will find out that the jackson maintainers got a bit annoyed the this so called "disclosure". If I read this right, what happend is that a commit made it into jackson (FasterXML/jackson-core@3af7e3e), like total normal development, nothing special, to limit the sizes of numbers, then someone reported this as "vulnerability", which never was, because nothing was ever exploited in the wild. The fix never was intented to fix a vulnerability, the commit was done on Nov 29, 2022, the report was filed one week later on Dec 8, 2022. But of course everone got nervos when security alerts pop up...
Yes, plan is to upgrade to latest Jackson in the next upcoming release. |
Beta Was this translation helpful? Give feedback.
-
|
@mkurz - thank you for that background, including the pointer to FasterXML/jackson-core#861 - much appreciated. |
Beta Was this translation helpful? Give feedback.
-
To fix CVE-2020-36518 in your Play 2.8 application you need to upgrade to either latest Jackson 2.12.x or 2.13.x. Play 2.8 uses older Jackson 2.11, but unfortunately the Jackson developers won't backport the fix to the 2.11.x branch.
We don't plan to upgrade Jackson 2.11.x in Play 2.8.x as of now, since that might break existing Play applications.
Make sure to thoroughly test your application before putting it into production with an upgraded major Jackson version!
To upgrade Jackson you have to add this to your
build.sbt:If you now run
sbt dependencyTreeorshow runtime:fullClasspatyou should see all the Jackson versions should be upgraded.Also see:
mainbranch)mainbranch)Beta Was this translation helpful? Give feedback.
All reactions