<!-- 
RSS generated by JIRA (1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d) at Thu Feb 08 23:15:09 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary add field=key&field=summary to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>FOLIO Jira</title>
    <link>https://folio-org.atlassian.net</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>1001.0.0-SNAPSHOT</version>
        <build-number>100246</build-number>
        <build-date>07-02-2024</build-date>
    </build-info>

<item>
            <title>[FOLIO-1685] Backend modules using RMB should update to fix jackson-databind security vulnerability</title>
                <link>https://folio-org.atlassian.net/browse/FOLIO-1685</link>
                <project id="10290" key="FOLIO">FOLIO</project>
                    <description>&lt;p&gt;RMB has updated jackson-databind to version 2.9.8 fixing these security vulnerabitities:&lt;/p&gt;

&lt;ul&gt;
	&lt;li&gt;&lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2018-19360&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://nvd.nist.gov/vuln/detail/CVE-2018-19360&lt;/a&gt;&lt;/li&gt;
	&lt;li&gt;&lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2018-19361&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://nvd.nist.gov/vuln/detail/CVE-2018-19361&lt;/a&gt;&lt;/li&gt;
	&lt;li&gt;&lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2018-19362&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://nvd.nist.gov/vuln/detail/CVE-2018-19362&lt;/a&gt;&lt;/li&gt;
	&lt;li&gt;&lt;a href=&quot;https://nvd.nist.gov/vuln/detail/CVE-2018-1000873&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://nvd.nist.gov/vuln/detail/CVE-2018-1000873&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;RMB &amp;gt;= 23.3.1 and RMB 23.2.x &amp;gt;= 23.2.2 has the fix.&lt;/p&gt;

&lt;p&gt;Any module that uses RMB can update to a fixed RMB version (preferred) or manually update jackson-databind to 2.9.8.&lt;/p&gt;

&lt;p&gt;This is the list of 2018-Q4 backend modules, at the beginning of the line is the RMB version it uses. ------ indicates that it does not use RMB.&lt;/p&gt;

&lt;p&gt;Core Modules 2018-Q4&lt;br/&gt;
RMB ------ mod-authtoken 2.0.3&lt;br/&gt;
RMB 23.1.0 mod-circulation 14.1.0&lt;br/&gt;
RMB 23.1.0 mod-circulation-storage 6.2.0&lt;br/&gt;
RMB 23.2.1 mod-codex-inventory 1.4.0&lt;br/&gt;
RMB 23.2.1 mod-codex-mux 2.3.0&lt;br/&gt;
RMB 21.0.3 mod-configuration 5.0.1&lt;br/&gt;
RMB 23.0.0 mod-feesfines 15.1.0&lt;br/&gt;
RMB ------ mod-inventory 11.0.0&lt;br/&gt;
RMB 23.1.0 mod-inventory-storage 14.0.0&lt;br/&gt;
RMB 23.0.0 mod-login 4.6.0&lt;br/&gt;
RMB 23.2.1 mod-notes 2.2.0&lt;br/&gt;
RMB 23.3.0 mod-notify 2.1.0&lt;br/&gt;
RMB 21.0.4 mod-permissions 5.4.0&lt;br/&gt;
RMB 23.2.1 mod-tags 0.2.0&lt;br/&gt;
RMB 21.0.4 mod-template-engine 1.0.1&lt;br/&gt;
RMB 23.0.0 mod-users 15.3.0&lt;br/&gt;
RMB 23.2.1 mod-users-bl 4.3.2&lt;/p&gt;

&lt;p&gt;External Modules 2018-Q4&lt;br/&gt;
RMB ------ mod-agreements 1.0.2&lt;br/&gt;
RMB 23.2.1 mod-audit 0.0.3&lt;br/&gt;
RMB ------ mod-audit-filter 0.0.4&lt;br/&gt;
RMB 23.2.1 mod-calendar 1.2.0 (jackson-databind 2.8.11.1)&lt;br/&gt;
RMB 19.0.0 mod-marccat 1.2.0&lt;br/&gt;
RMB 21.0.4 mod-codex-ekb 1.1.0&lt;br/&gt;
RMB ?????? mod-credits not on &lt;a href=&quot;https://github.com/folio-org&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org&lt;/a&gt;&lt;br/&gt;
RMB 23.0.0 mod-data-import 1.0.0&lt;br/&gt;
RMB 21.0.3 mod-email 1.0.0&lt;br/&gt;
RMB 23.1.0 mod-erm-usage   1.0.0&lt;br/&gt;
RMB 23.1.0 mod-erm-usage-harvester 1.0.0&lt;br/&gt;
RMB 23.0.0 mod-event-config 1.0.0&lt;br/&gt;
RMB 19.0.0 mod-finance-storage 1.0.1&lt;br/&gt;
RMB 19.1.5 mod-gobi 1.0.1&lt;br/&gt;
RMB ------ mod-kb-ebsco 1.1.0&lt;br/&gt;
RMB 23.2.0 mod-kb-ebsco-java no versioning&lt;br/&gt;
RMB ------ mod-licenses 1.0.2&lt;br/&gt;
RMB 15.0.2 mod-login-saml 1.2.1 (jackson.version 2.9.7)&lt;br/&gt;
RMB 23.1.0 mod-oai-pmh 1.0.1&lt;br/&gt;
RMB 23.2.1 mod-orders 1.0.2&lt;br/&gt;
RMB 23.1.0 mod-orders-storage 1.0.2&lt;br/&gt;
RMB 19.1.3 mod-patron 1.2.0&lt;br/&gt;
RMB 19.1.3 mod-rtac 1.2.1&lt;br/&gt;
RMB 21.0.4 mod-sender 1.0.0&lt;br/&gt;
RMB 21.0.3 mod-source-record-manager 0.1.0&lt;br/&gt;
RMB 23.0.0 mod-source-record-storage 1.0.0&lt;br/&gt;
RMB 17.0.0 mod-user-import 3.1.0&lt;br/&gt;
RMB 19.0.0 mod-vendors 1.0.3&lt;/p&gt;</description>
                <environment></environment>
        <key id="80977">FOLIO-1685</key>
            <summary>Backend modules using RMB should update to fix jackson-databind security vulnerability</summary>
                <type id="10006" iconUrl="https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10307?size=medium">Umbrella</type>
                                            <priority id="10002" iconUrl="https://dev.folio.org/assets/jira-priority/jira-p3.svg">P3</priority>
                        <status id="6" iconUrl="https://folio-org.atlassian.net/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="green"/>
                                    <resolution id="10003">Done</resolution>
                                                        <assignee accountid="-1">Unassigned</assignee>
                                                                <reporter accountid="5ee89462f7aa140abd82d11d">Julian Ladisch</reporter>
                                    <labels>
                            <label>core</label>
                            <label>platform-backlog</label>
                            <label>security</label>
                            <label>sprint54</label>
                    </labels>
                <created>Mon, 7 Jan 2019 17:28:42 +0000</created>
                <updated>Wed, 3 Jun 2020 16:39:21 +0000</updated>
                            <resolved>Thu, 14 Mar 2019 21:36:46 +0000</resolved>
                                                                        <due></due>
                            <votes>0</votes>
                                    <watches>5</watches>
                                                                <comments>
                                                            <comment id="193571" author="5ced27478b03050f27825a93" created="Mon, 7 Jan 2019 19:57:07 +0000"  >&lt;p&gt;Is the intent to update the modules using 2.8.x of jackson-databind to 2.9.x?  If so, you may also want to link in 
    &lt;span class=&quot;jira-issue-macro resolved&quot; data-jira-key=&quot;FOLIO-1683&quot; &gt;
                &lt;a href=&quot;https://folio-org.atlassian.net/browse/FOLIO-1683&quot; class=&quot;jira-issue-macro-key issue-link&quot;  title=&quot;Security vulnerability reported in jackson-databind &amp;gt;= 2.8.0, &amp;lt; 2.8.11.3&quot; &gt;
            &lt;img class=&quot;icon&quot; src=&quot;https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10307?size=medium&quot; /&gt;
            FOLIO-1683
        &lt;/a&gt;
                                                    &lt;span class=&quot;aui-lozenge aui-lozenge-subtle aui-lozenge-success jira-macro-single-issue-export-pdf&quot;&gt;Closed&lt;/span&gt;
            &lt;/span&gt;
.&lt;/p&gt;</comment>
                                                            <comment id="193575" author="5ee89462f7aa140abd82d11d" created="Tue, 8 Jan 2019 08:33:56 +0000"  >&lt;p&gt;No, this issue is not for 2.8.x. RMB never used 2.8.x.&lt;/p&gt;

&lt;p&gt;RMB before v19.1.0 shipped jackson-databind 2.2.2.&lt;br/&gt;
RMB since v19.1.0 ships jackson-databind 2.9.x.&lt;br/&gt;
&lt;a href=&quot;https://github.com/folio-org/raml-module-builder/pull/183/commits/22995fa64c16c799e57a80d228306b644dbfc577&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/raml-module-builder/pull/183/commits/22995fa64c16c799e57a80d228306b644dbfc577&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;Modules with RMB &amp;gt;= 19.1.0 that have jackson-databind 2.8.x in their &amp;lt;dependency&amp;gt; section automatically get the 2.9.x version shipped with that RMB version.&lt;br/&gt;
Modules with RMB &amp;lt; 19.1.0 that have jackson-databind 2.8.x in their &amp;lt;dependency&amp;gt; section use the 2.8.x version.&lt;/p&gt;

&lt;p&gt;However, any module can explicitly override the version by using the &amp;lt;dependencyManagement&amp;gt;&amp;lt;dependencies&amp;gt; section; this allows to use a smaller version than shipped by RMB or other dependencies. Example: &lt;a href=&quot;https://github.com/folio-org/mod-calendar/blob/v1.2.0/pom.xml#L123-L127&quot; class=&quot;external-link&quot; rel=&quot;nofollow noreferrer&quot;&gt;https://github.com/folio-org/mod-calendar/blob/v1.2.0/pom.xml#L123-L127&lt;/a&gt;&lt;/p&gt;</comment>
                                                            <comment id="193579" author="5ced27478b03050f27825a93" created="Tue, 8 Jan 2019 19:55:09 +0000"  >&lt;p&gt;Okay, thanks for the explanation.  I appreciate knowing the details.&lt;/p&gt;</comment>
                                                            <comment id="193582" author="5ced27478b03050f27825a93" created="Tue, 19 Feb 2019 20:29:24 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5ee89462f7aa140abd82d11d&quot; class=&quot;user-hover&quot; rel=&quot;5ee89462f7aa140abd82d11d&quot; data-account-id=&quot;5ee89462f7aa140abd82d11d&quot; accountid=&quot;5ee89462f7aa140abd82d11d&quot; rel=&quot;noreferrer&quot;&gt;Julian Ladisch&lt;/a&gt; I&apos;m not sure how you generated the list in this issue&apos;s description, but can you do it again?  The only `jackson-databind` issue remaining that I&apos;m aware of is 
    &lt;span class=&quot;jira-issue-macro resolved&quot; data-jira-key=&quot;MODLOGSAML-39&quot; &gt;
                &lt;a href=&quot;https://folio-org.atlassian.net/browse/MODLOGSAML-39&quot; class=&quot;jira-issue-macro-key issue-link&quot;  title=&quot;Fix security vulnerabilities reported in jackson-databind &amp;gt;= 2.9.0, &amp;lt; 2.9.8&quot; &gt;
            &lt;img class=&quot;icon&quot; src=&quot;https://folio-org.atlassian.net/rest/api/2/universal_avatar/view/type/issuetype/avatar/10303?size=medium&quot; /&gt;
            MODLOGSAML-39
        &lt;/a&gt;
                                                    &lt;span class=&quot;aui-lozenge aui-lozenge-subtle aui-lozenge-success jira-macro-single-issue-export-pdf&quot;&gt;Closed&lt;/span&gt;
            &lt;/span&gt;
, and I want to confirm that is true.&lt;/p&gt;</comment>
                                                            <comment id="193585" author="5ee89462f7aa140abd82d11d" created="Thu, 14 Mar 2019 18:59:20 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5ced27478b03050f27825a93&quot; class=&quot;user-hover&quot; rel=&quot;5ced27478b03050f27825a93&quot; data-account-id=&quot;5ced27478b03050f27825a93&quot; accountid=&quot;5ced27478b03050f27825a93&quot; rel=&quot;noreferrer&quot;&gt;Peter Murray&lt;/a&gt; I can redo the analysis on the folio-snapshot modules.&lt;/p&gt;</comment>
                                                            <comment id="193588" author="5ced27478b03050f27825a93" created="Thu, 14 Mar 2019 19:06:49 +0000"  >&lt;p&gt;&lt;a href=&quot;https://folio-org.atlassian.net/secure/ViewProfile.jspa?accountId=5ee89462f7aa140abd82d11d&quot; class=&quot;user-hover&quot; rel=&quot;5ee89462f7aa140abd82d11d&quot; data-account-id=&quot;5ee89462f7aa140abd82d11d&quot; accountid=&quot;5ee89462f7aa140abd82d11d&quot; rel=&quot;noreferrer&quot;&gt;Julian Ladisch&lt;/a&gt;: Actually, I think this can be closed.  GitHub is no longer reporting &lt;b&gt;jackson-databind&lt;/b&gt; as a security issue.  If you can confirm and close, that would be great.&lt;/p&gt;</comment>
                                                            <comment id="193591" author="5ee89462f7aa140abd82d11d" created="Thu, 14 Mar 2019 21:12:09 +0000"  >&lt;p&gt;I cannot confirm without checking the modules.&lt;br/&gt;
If you want me to redo the check (similar to the one I did before) the core-platform scrum master/product owner needs to assign this jira to me for some sprint so that I can spend some time on it.&lt;/p&gt;</comment>
                                                            <comment id="193594" author="5ced27478b03050f27825a93" created="Thu, 14 Mar 2019 21:36:46 +0000"  >&lt;p&gt;Ah, okay.  I&apos;m relatively confident that GitHub has found all of jackson-databind vulnerabilities.  There are other things I&apos;m seeing with the snyk.io tool that I&apos;m testing, but this isn&apos;t one of them.  Closing.&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10000">
                    <name>Blocks</name>
                                            <outwardlinks description="blocks">
                                        <issuelink>
            <issuekey id="80975">FOLIO-1682</issuekey>
        </issuelink>
                            </outwardlinks>
                                                                <inwardlinks description="is blocked by">
                                        <issuelink>
            <issuekey id="57002">RMB-315</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10000" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummarycf">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10057" key="com.atlassian.jira.plugin.system.customfieldtypes:select">
                        <customfieldname>Development Team</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10144"><![CDATA[Core: Platform]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10019" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>0|hzzamv:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_10020" key="com.pyxis.greenhopper.jira:gh-sprint">
                        <customfieldname>Sprint</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_10024" key="com.atlassian.jira.ext.charting:firstresponsedate">
                        <customfieldname>[CHART] Date of First Response</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>Mon, 7 Jan 2019 19:57:07 +0000</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10025" key="com.atlassian.jira.ext.charting:timeinstatus">
                        <customfieldname>[CHART] Time in Status</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                    </customfields>
    </item>
</channel>
</rss>