Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security vulnerability DSA-4004-1 for CVE-2017-7525, in which release is it fixed #1837

Closed
appDeveloper888 opened this issue Nov 23, 2017 · 6 comments

Comments

@appDeveloper888
Copy link

Hi,

which release of fasterxml.jackson-databind has fixed the following security vulnerability ?

Best regards

Details:

Debian Security Advisory DSA-4037-1 [email protected]
https://www.debian.org/security/ Sebastien Delafond
November 16, 2017 https://www.debian.org/security/faq

Package : jackson-databind
CVE ID : CVE-2017-15095

It was discovered that jackson-databind, a Java library used to parse JSON and other data formats, improperly validated user input prior to deserializing: following DSA-4004-1 for CVE-2017-7525, an additional set of classes was identified as unsafe for deserialization.
For the old stable distribution (jessie), this problem has been fixed in version 2.4.2-2+deb8u2.
For the stable distribution (stretch), this problem has been fixed in version 2.8.6-1+deb9u2.

@cowtowncoder
Copy link
Member

cowtowncoder commented Nov 25, 2017

Please have a look at issue #1599, if that might be what you are looking for.

I think for 2.8 branch it would be 2.8.9 (although it is recommended to use latest patch available, 2.8.10). All 2.9 versions have fix; 2.9.2 being recommended since it is the most recent patch available for that branch.

cmark added a commit to b2ihealthcare/snow-owl that referenced this issue Dec 12, 2017
Fixes the following security issue:
FasterXML/jackson-databind#1599
FasterXML/jackson-databind#1837

Also include other jackson libraries in the target platform instead of
embedding them via Bundle-ClassPath.
@DKumars
Copy link

DKumars commented Jan 31, 2018

hi ,
Is this fix available on 2.6.7.1 ? Please confirm as we are using old version.

@cowtowncoder
Copy link
Member

cowtowncoder commented Jan 31, 2018

@DKumars As per other issue, upgrade to a later version (2.8.11 or 2.9.4). Project does not have resources to backport fixes to older, closed branches.

@poverma
Copy link

poverma commented Feb 7, 2018

Tried with jackson-databind 2.9.4 version for that upgraded scala minor version to 11.
but there is dependency issue
What we changed:
jackson:[[group: 'com.fasterxml.jackson.core', name:'jackson-core', version:'2.9.4'],
[group:'com.fasterxml.jackson.core', name:'jackson-annotations', version:'2.9.4'],
[group:'com.fasterxml.jackson.jaxrs', name:'jackson-jaxrs-json-provider', version:'2.9.4'],
[group:'com.fasterxml.jackson.jaxrs', name:'jackson-jaxrs-base', version:'2.9.4'],
[group:'com.fasterxml.jackson.core', name:'jackson-databind', version:'2.9.4'],
[group:'com.fasterxml.jackson.module', name:'jackson-module-scala_2.11', version:'2.9.4']],
Error:

What went wrong:
Execution failed for task ':apps:release:dependencies'.

Could not resolve all dependencies for configuration ':apps:release:resolve'.
A conflict was found between the following modules:
- org.scala-lang:scala-reflect:2.11.11
- org.scala-lang:scala-reflect:2.11.7

@cowtowncoder
Copy link
Member

@poverma that sounds like a possible problem with jackson-module-scala then, or possibly build system you are using (wrt build definitions you use). Jackson does not depend on Scala for any other reason than scala module so it seems like you would need to enforce specific version of transitive dependency in build definitions.
If that does not work you may want to file an issue against jackson-module-scala and/or send a question on user mailing list (https://groups.google.com/forum/#!forum/jackson-user).

@DKumars
Copy link

DKumars commented Mar 26, 2018 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants