as with the last similiar tickets - Jackson Databind lib contained some new vulnerabilities that are fixed with an update from 2.9.10 to 2.9.10.1. I'll prepare an pull request for that. Its been running at our systems for some days by now without problems, "gradlew check" passes too. Fixes: * CVE-2019-16942 (Deserialization of Untrusted Data) * CVE-2019-16943 (Deserialization of Untrusted Data) * CVE-2019-17531 (Deserialization of Untrusted Data) A mentioned before, the Jackson maintainers release patch level fixes that are different version numbers from the main Jackson version, therefore the extra gradle build variable for jackson databind is needed... Thanks, Stefan Seide
Pull request https://github.com/apache/jmeter/pull/546
What do you think of updating to 2.10.1?
@Stefan, I hope the new version works for you, too. It would be nice, if you could give the next nightly a test. commit a2051bf7b0d407495800aeb895f0896a3f2fa348 AuthorDate: Tue Dec 3 19:09:22 2019 +0100 Update to jackson 2.10.1 Originally Stefan Seide proposed to update jackson databind to 2.9.10.1, but as jackson seems to have moved on to 2.10.x as the current major release, it is probably better to update to the current newest major version. Squashed commit of the following: commit b7d433cbee608b6d903424cca566c76282da15ea Author: Felix Schumacher <felix.schumacher@internetallee.de> Date: Tue Dec 3 19:05:45 2019 +0100 Update to jackson 2.10.1 commit dd42b999efab2a29c7dbe2d613c3d21c6556f8df Author: Stefan Seide <account-github@seide.st> Date: Tue Nov 26 13:01:30 2019 +0100 update jackson dependency to 2.9.10.1 Closes #546 Bugzilla Id: 63963 --- gradle.properties | 4 ++-- xdocs/changes.xml | 2 ++ 2 files changed, 4 insertions(+), 2 deletions(-)
yes - as currently used version 2.9 of jackson receives security bugfixes only anymore the move to 2.10 should be made. (https://github.com/FasterXML/jackson/wiki/Jackson-Releases) We will look at it and give the jackson 2.10 a try. Will report back in some days after using it. Thanks, Stefan Seide
@Stefan, maybe you want to give this a try, too. commit ddb3596a29d6b4722fdf4056cf3492103e37d194 AuthorDate: Sun Feb 16 21:51:45 2020 +0100 Updated jackson to 2.10.2 (from 2.10.1) Bugzilla Id: 63963 Relates to #546 --- gradle.properties | 4 ++-- xdocs/changes.xml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-)
This issue has been migrated to GitHub: https://github.com/apache/jmeter/issues/5204