Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

BUG 63776 - update Jackson dependency to 2.9.10 #508

Merged
merged 1 commit into from
Sep 27, 2019
Merged

BUG 63776 - update Jackson dependency to 2.9.10 #508

merged 1 commit into from
Sep 27, 2019

Conversation

sseide
Copy link
Contributor

@sseide sseide commented Sep 27, 2019

Description

This fix updates jackson libraries to new version 2.9.10 to fix some security vulnerabilities (CVE-2019-14540) as described in Jackson Databind issue (FasterXML/jackson-databind#2410 and FasterXML/jackson-databind#2420)

How Has This Been Tested?

running gradlew check finished without errors.
Using newer dependency ourself since some days without problem with embedded jmeter 5.1.1

Types of changes

  • Bug fix (non-breaking change which fixes an issue)

Checklist:

  • My code follows the code style of this project.
  • I have updated the documentation accordingly.

FSchumacher
FSchumacher reviewed Sep 27, 2019
View reviewed changes
gradle.properties
jackson.version=2.9.9
jackson-databind.version=2.9.9.3
jackson.version=2.9.10
jackson-databind.version=2.9.10
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the version numbers are the same again, we can think about dropping the extra property.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do not know - as there are many more similiar vulnerabilities found within last time i suspect more to come in the future. And the Jackson team seems to address some of these via micro-patches to jackson-databind only.

Therefore it seems to be reasonable to let booth version independent of each other as of now...

@codecov-io
Copy link

Codecov Report

Merging #508 into master will increase coverage by <.01%.
The diff coverage is n/a.

Impacted file tree graph

@@             Coverage Diff              @@
##             master     #508      +/-   ##
============================================
+ Coverage     54.81%   54.81%   +<.01%     
  Complexity     9792     9792              
============================================
  Files          1018     1018              
  Lines         62716    62716              
  Branches       7068     7068              
============================================
+ Hits          34375    34376       +1     
  Misses        25907    25907              
+ Partials       2434     2433       -1
Impacted Files Coverage Δ Complexity Δ
...n/java/org/apache/jmeter/reporters/Summariser.java 85.49% <0%> (-0.77%) 18% <0%> (-1%)
...a/org/apache/jmeter/timers/PoissonRandomTimer.java 78.37% <0%> (+5.4%) 10% <0%> (+1%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update feaf482...22a2fc0. Read the comment docs.

@vlsi vlsi changed the title BUG 63776 - update jackson dependency to 2.9.10 BUG 63776 - update Jackson dependency to 2.9.10 Sep 27, 2019
@vlsi vlsi merged commit b2b1e8f into apache:master Sep 27, 2019
@sseide sseide deleted the 63776_update_jackson branch November 26, 2019 12:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@FSchumacher FSchumacher FSchumacher left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@sseide @codecov-io @FSchumacher @vlsi