Bug 63963 - Please update dependency of jackson to 2.9.10.1
Summary: Please update dependency of jackson to 2.9.10.1
Status: RESOLVED FIXED
Alias: None
Product: JMeter
Classification: Unclassified
Component: Main (show other bugs)
Version: 5.2.1
Hardware: All All
: P2 normal (vote)
Target Milestone: JMETER_5.3.0
Assignee: JMeter issues mailing list
URL:
Keywords: FixedInTrunk
Depends on:
Blocks:
 
Reported: 2019-11-26 12:00 UTC by S. Seide
Modified: 2020-02-16 20:54 UTC (History)
1 user (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description S. Seide 2019-11-26 12:00:24 UTC
as with the last similiar tickets - Jackson Databind lib contained some new vulnerabilities that are fixed with an update from 2.9.10 to 2.9.10.1.
I'll prepare an pull request for that.

Its been running at our systems for some days by now without problems, "gradlew check" passes too.

Fixes:
* CVE-2019-16942 (Deserialization of Untrusted Data)
* CVE-2019-16943 (Deserialization of Untrusted Data)
* CVE-2019-17531 (Deserialization of Untrusted Data)

A mentioned before, the Jackson maintainers release patch level fixes that are different version numbers from the main Jackson version, therefore the extra gradle build variable for jackson databind is needed...

Thanks,
Stefan Seide
Comment 1 S. Seide 2019-11-26 12:05:10 UTC
Pull request https://github.com/apache/jmeter/pull/546
Comment 2 Felix Schumacher 2019-12-03 17:46:29 UTC
What do you think of updating to 2.10.1?
Comment 3 Felix Schumacher 2019-12-03 18:17:42 UTC
@Stefan, I hope the new version works for you, too. It would be nice, if you could give the next nightly a test.

commit a2051bf7b0d407495800aeb895f0896a3f2fa348
AuthorDate: Tue Dec 3 19:09:22 2019 +0100

    Update to jackson 2.10.1
    
    Originally Stefan Seide proposed to update jackson databind to 2.9.10.1,
    but as jackson seems to have moved on to 2.10.x as the current major
    release, it is probably better to update to the current newest major version.
    
    Squashed commit of the following:
    
    commit b7d433cbee608b6d903424cca566c76282da15ea
    Author: Felix Schumacher <felix.schumacher@internetallee.de>
    Date:   Tue Dec 3 19:05:45 2019 +0100
    
        Update to jackson 2.10.1
    
    commit dd42b999efab2a29c7dbe2d613c3d21c6556f8df
    Author: Stefan Seide <account-github@seide.st>
    Date:   Tue Nov 26 13:01:30 2019 +0100
    
        update jackson dependency to 2.9.10.1
    
    Closes #546
    Bugzilla Id: 63963
---
 gradle.properties | 4 ++--
 xdocs/changes.xml | 2 ++
 2 files changed, 4 insertions(+), 2 deletions(-)
Comment 4 S. Seide 2019-12-06 10:54:29 UTC
yes - as currently used version 2.9 of jackson receives security bugfixes only anymore the move to 2.10 should be made.
(https://github.com/FasterXML/jackson/wiki/Jackson-Releases)

We will look at it and give the jackson 2.10 a try. Will report back in some days after using it.

Thanks,
Stefan Seide
Comment 5 Felix Schumacher 2020-02-16 20:54:43 UTC
@Stefan, maybe you want to give this a try, too.

commit ddb3596a29d6b4722fdf4056cf3492103e37d194
AuthorDate: Sun Feb 16 21:51:45 2020 +0100

    Updated jackson to 2.10.2 (from 2.10.1)
    
    Bugzilla Id: 63963
    Relates to #546
---
 gradle.properties | 4 ++--
 xdocs/changes.xml | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)