Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency pl.project13.maven:git-commit-id-plugin to v2.2.6 - autoclosed #60

Merged
merged 1 commit into from
Mar 2, 2024
Merged

Update dependency pl.project13.maven:git-commit-id-plugin to v2.2.6 - autoclosed #60

merged 1 commit into from
Mar 2, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 2, 2024

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
pl.project13.maven:git-commit-id-plugin (source) 2.2.5 -> 2.2.6 age adoption passing confidence

Release Notes

git-commit-id/git-commit-id-maven-plugin (pl.project13.maven:git-commit-id-plugin)

v2.2.6: Version 2.2.6

Compare Source

Version 2.2.6 is a security update for a potential issue within the jackson-databind dependency. As usual you can checkout the detailed list of bug-fixes :-)

New Features / Bug-Fixes:

The main key-aspects is a security update for a potential issue within the jackson-databind dependency. This specific dependency was updated to v2.9.8 in response to https://github.com/FasterXML/jackson-databind/issues/2186 (CVE-2018-19360, CVE-2018-19361, CVE-2018-19362). Even though by default an user of this plugin does not seem to be affected by this potential issue, it is highly recommended to adopt the latest version at your earliest convenience. Similar to version 2.2.5 this version provides full support for Java 7, Java 8, Java 9, Java 10 and Java 11 (and is potentially also working for any higher version).

Am I affected? (technical details)

The specific issues that have been fixed with the update of jackson-databind dependency are:

  • CVE-2018-19360: FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.
  • CVE-2018-19361: FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.
  • CVE-2018-19362: FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.

This plugin uses the jackson-databind dependency for dumping the git information (serialization) to the generated properties file and determining if the generated json properties are up-to-date (deserialization). As of now it appears that only user who generate json properties via <format>json</format> may be affected by those issues. This specific configuration is set to <format>properties</format> by default and hence by default it appears that those issues are out of scope. Only when this configuration is altered a user may need to consider the linked CVE's as potential security problem.
In general I would be unsure if this ever even could be considered a true attack vector of this plugin, since the generated json file would need to contain data that would trigger this specific bug in the dependency. If an adversary has access to the content to the location where the generated file is residing, I would assume he can also modify the any local file (including project files) and hence would not need to go through the pain and exploit this problem....

Getting the latest release

The plugin is available from Maven Central (see here), so you don't have to configure any additional repositories to use this plugin. All you need to do is to configure it inside your project as dependency:

<dependency>
    <groupId>pl.project13.maven</groupId>
    <artifactId>git-commit-id-plugin</artifactId>
    <version>2.2.6</version>
</dependency>

Known Issues / Limitations:

Reporting Problems

If you find any problem with this plugin, feel free to report it here

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@lltx lltx merged commit 7a9c53e into master Mar 2, 2024
1 check passed
@renovate renovate bot changed the title Update dependency pl.project13.maven:git-commit-id-plugin to v2.2.6 Update dependency pl.project13.maven:git-commit-id-plugin to v2.2.6 - autoclosed Mar 2, 2024
@renovate renovate bot deleted the renovate/git.commit.plugin branch March 2, 2024 03:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@lltx