[BUILD-308] Update resteasy to prevent jackson-databind deserializer security (CVE-2017-7525) Created: 24/May/18  Updated: 12/Feb/21  Resolved: 11/Jun/18

Status: Closed
Project: Build
Component/s: None
Affects Version/s: None
Fix Version/s: BOM 5.7

Type: Task Priority: Neutral
Reporter: Oanh Thai Hoang Assignee: Oanh Thai Hoang
Resolution: Done Votes: 0
Labels: security
Remaining Estimate: 0d
Time Spent: 1.25d
Original Estimate: Not Specified

Issue Links:
dependency
depends upon MGNLTOMCAT-3 Update Tomcat to 9.0.8 Closed
relation
supersession
supersedes MGNLREST-112 Lib updates Closed
Template:
Acceptance criteria:
Empty
Task DoR:
Empty
Release notes required:
Yes
Epic Link: 5.7 library update
Sprint: Saigon 147
Story Points: 3

 Description   

According to jackson-databind: the fix of (CVE-2017-7525) is introduced from 2.8.9 . See https://github.com/FasterXML/jackson-databind/issues/1599. 

 

Note: There are some update from jackson related to another CVE issues: https://github.com/FasterXML/jackson-databind/issues?utf8=%E2%9C%93&q=label%3ACVE+. So it will be good if we can use resteasy shipped with newer jackson-databind ( like 2.9.5, 2.8.11.1)



 Comments   
Comment by Oanh Thai Hoang [ 15/Jun/18 ]

Since we import jackson-bom in https://git.magnolia-cms.com/projects/BUILD/repos/boms/browse/pom.xml#1171 and jackson version 2.9.5 (http://central.maven.org/maven2/com/fasterxml/jackson/jackson-bom/2.9.5/jackson-bom-2.9.5.pom) is actually used jackson-annotation 2.9.0

Generated at Sun Feb 11 23:40:43 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.