[BUILD-308] Update resteasy to prevent jackson-databind deserializer security (CVE-2017-7525) Created: 24/May/18 Updated: 12/Feb/21 Resolved: 11/Jun/18 |
|
| Status: | Closed |
| Project: | Build |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | BOM 5.7 |
| Type: | Task | Priority: | Neutral |
| Reporter: | Oanh Thai Hoang | Assignee: | Oanh Thai Hoang |
| Resolution: | Done | Votes: | 0 |
| Labels: | security | ||
| Remaining Estimate: | 0d | ||
| Time Spent: | 1.25d | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||
| Template: |
|
||||||||||||||||||||
| Acceptance criteria: |
Empty
|
||||||||||||||||||||
| Task DoR: |
Empty
|
||||||||||||||||||||
| Release notes required: |
Yes
|
||||||||||||||||||||
| Epic Link: | 5.7 library update | ||||||||||||||||||||
| Sprint: | Saigon 147 | ||||||||||||||||||||
| Story Points: | 3 | ||||||||||||||||||||
| Description |
|
According to jackson-databind: the fix of (CVE-2017-7525) is introduced from 2.8.9 . See https://github.com/FasterXML/jackson-databind/issues/1599.
Note: There are some update from jackson related to another CVE issues: https://github.com/FasterXML/jackson-databind/issues?utf8=%E2%9C%93&q=label%3ACVE+. So it will be good if we can use resteasy shipped with newer jackson-databind ( like 2.9.5, 2.8.11.1) |
| Comments |
| Comment by Oanh Thai Hoang [ 15/Jun/18 ] |
|
Since we import jackson-bom in https://git.magnolia-cms.com/projects/BUILD/repos/boms/browse/pom.xml#1171 and jackson version 2.9.5 (http://central.maven.org/maven2/com/fasterxml/jackson/jackson-bom/2.9.5/jackson-bom-2.9.5.pom) is actually used jackson-annotation 2.9.0 |