Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

30.0.0 security fixes #5

Open
wants to merge 5 commits into
base: 30.0.0
Choose a base branch
from
Open

30.0.0 security fixes #5

wants to merge 5 commits into from
+13 −2

Conversation

fabceolin
Copy link

Description

This PR updates com.fasterxml.jackson and org.codehaus.jackson core libraries versions in the pom.xml file to address known vulnerabilities and improve the overall security of the project.

Updated Libraries

com.fasterxml.jackson 2.12.7.20221012 -> 2.12.7.20240502
Addresses the following vulnerabilities:

  1. CVE-2022-42003: Potential denial of service vulnerability when UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
  2. CVE-2022-42004: Potential denial of service vulnerability in PropertyNamingStrategy.

org.codehaus.jackson: 1.9.13 -> 1.9.14.jdk17-redhat-00001
Addresses several known vulnerabilities, including:

  1. CVE-2019-10172: XML external entity (XXE) vulnerability.
  2. CVE-2019-10202: Remote code execution vulnerability.
  3. CVE-2017-7525: Deserialization vulnerability allowing remote code execution.
  4. CVE-2017-15095: Deserialization vulnerability allowing remote code execution.

Additionally, a new repository (Red Hat GA Repository) has been added to the pom.xml file to support org.codehaus.jackson library update.

Although this PR points to version 30.0.0, and the 30.0.0 CI workflow is not fully functional in our environment, I successfully tested the updated libraries by applying the same changes to the master branch.

Key changed/added classes in this PR
N/A (Only pom.xml was modified)

Release note
Updated com.fasterxml.jackson and org.codehaus.jackson libraries to address multiple security vulnerabilities, including potential denial of service and remote code execution vulnerabilities.

This PR has:

  • been self-reviewed.
  • added documentation for new or modified features or behaviors.
  • a release note entry in the PR description.
  • added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links.
  • added or updated version, license, or notice information in licenses.yaml.
  • added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
  • added unit tests or modified existing tests to cover new code paths, ensuring the threshold for code coverage is met.
    added integration tests.
  • been tested in a test Druid cluster. (CI)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Area - Dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@fabceolin