Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CVE-2019-14439: bump jackson-databind to 2.9.9.3 #2688

Merged
merged 1 commit into from
Sep 9, 2019
Merged

CVE-2019-14439: bump jackson-databind to 2.9.9.3 #2688

merged 1 commit into from
Sep 9, 2019

Conversation

laszlovandenhoek
Copy link
Contributor

@laszlovandenhoek laszlovandenhoek commented Sep 6, 2019
edited
Loading

PR #2671 bumps the jackson-databind version to 2.9.9. However, this version is susceptible to CVE-2019-14439 (original issue: FasterXML/jackson-databind#2389). While the vulnerability might not be directly exploitable from Akka HTTP, it might still pose a problem for projects pulling it in as a transitive dependency.

This PR bumps jackson-databind further, to its latest stable version, 2.9.9.3.

FYI, there are three more CVE's of this kind present in all versions of jackson-databind, including this one - they will be fixed in the forthcoming 2.10.0 release:

FasterXML/jackson-databind#2410
FasterXML/jackson-databind#2420
FasterXML/jackson-databind#2421

@akka-ci
Copy link

akka-ci commented Sep 6, 2019

Thank you for your pull request! After a quick sanity check one of the team will reply with 'OK TO TEST' to kick off our automated validation on Jenkins. This compiles the project, runs the tests, and checks for things like binary compatibility and source code formatting. When two team members have also manually reviewed and (perhaps after asking for some amendments) accepted your contribution, it should be good to be merged.

For more details about our contributing process, check out CONTRIBUTING.md - and feel free to ask!

@raboof
Copy link
Member

raboof commented Sep 6, 2019

OK TO TEST

@akka-ci akka-ci added validating PR that is currently being validated by Jenkins tested PR that was successfully built and tested by Jenkins and removed validating PR that is currently being validated by Jenkins labels Sep 6, 2019
@akka-ci
Copy link

akka-ci commented Sep 6, 2019

Test PASSed.

jrudolph
jrudolph approved these changes Sep 9, 2019
View reviewed changes
Copy link
Member

@jrudolph jrudolph left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@jrudolph jrudolph added this to the 10.1.10 milestone Sep 9, 2019
@jrudolph jrudolph merged commit dbd58c6 into akka:master Sep 9, 2019
@laszlovandenhoek laszlovandenhoek deleted the cve-2019-14439 branch September 9, 2019 14:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@raboof raboof raboof approved these changes

@jrudolph jrudolph jrudolph approved these changes

Assignees
No one assigned
Labels
tested PR that was successfully built and tested by Jenkins
Projects
None yet
Milestone
10.1.10
Development

Successfully merging this pull request may close these issues.
4 participants
@laszlovandenhoek @akka-ci @raboof @jrudolph