[FOLIO-1685] Backend modules using RMB should update to fix jackson-databind security vulnerability Created: 07/Jan/19 Updated: 03/Jun/20 Resolved: 14/Mar/19 |
|
| Status: | Closed |
| Project: | FOLIO |
| Components: | None |
| Affects versions: | None |
| Fix versions: | None |
| Type: | Umbrella | Priority: | P3 |
| Reporter: | Julian Ladisch | Assignee: | Unassigned |
| Resolution: | Done | Votes: | 0 |
| Labels: | core, platform-backlog, security, sprint54 | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Issue links: |
|
||||||||||||
| Sprint: | |||||||||||||
| Development Team: | Core: Platform | ||||||||||||
| Description |
|
RMB has updated jackson-databind to version 2.9.8 fixing these security vulnerabitities:
RMB >= 23.3.1 and RMB 23.2.x >= 23.2.2 has the fix. Any module that uses RMB can update to a fixed RMB version (preferred) or manually update jackson-databind to 2.9.8. This is the list of 2018-Q4 backend modules, at the beginning of the line is the RMB version it uses. ------ indicates that it does not use RMB. Core Modules 2018-Q4 External Modules 2018-Q4 |
| Comments |
| Comment by Peter Murray [ 07/Jan/19 ] |
|
Is the intent to update the modules using 2.8.x of jackson-databind to 2.9.x? If so, you may also want to link in
|
| Comment by Julian Ladisch [ 08/Jan/19 ] |
|
No, this issue is not for 2.8.x. RMB never used 2.8.x. RMB before v19.1.0 shipped jackson-databind 2.2.2. Modules with RMB >= 19.1.0 that have jackson-databind 2.8.x in their <dependency> section automatically get the 2.9.x version shipped with that RMB version. However, any module can explicitly override the version by using the <dependencyManagement><dependencies> section; this allows to use a smaller version than shipped by RMB or other dependencies. Example: https://github.com/folio-org/mod-calendar/blob/v1.2.0/pom.xml#L123-L127 |
| Comment by Peter Murray [ 08/Jan/19 ] |
|
Okay, thanks for the explanation. I appreciate knowing the details. |
| Comment by Peter Murray [ 19/Feb/19 ] |
|
Julian Ladisch I'm not sure how you generated the list in this issue's description, but can you do it again? The only `jackson-databind` issue remaining that I'm aware of is
|
| Comment by Julian Ladisch [ 14/Mar/19 ] |
|
Peter Murray I can redo the analysis on the folio-snapshot modules. |
| Comment by Peter Murray [ 14/Mar/19 ] |
|
Julian Ladisch: Actually, I think this can be closed. GitHub is no longer reporting jackson-databind as a security issue. If you can confirm and close, that would be great. |
| Comment by Julian Ladisch [ 14/Mar/19 ] |
|
I cannot confirm without checking the modules. |
| Comment by Peter Murray [ 14/Mar/19 ] |
|
Ah, okay. I'm relatively confident that GitHub has found all of jackson-databind vulnerabilities. There are other things I'm seeing with the snyk.io tool that I'm testing, but this isn't one of them. Closing. |