Block more JDK types from polymorphic deserialization (CVE 2017-15095) #1737
Comments
It would be really nice to have this for 2.7 as well since 2.8 requires JDK 7 and a library I maintain which depends on jackson-databind supports JDK 6 (for a little while longer). I created #1857 to apply |
|
@tolbertam Thanks. I'll keep this in mind -- there are occasionally other updates in this area. There is some cost or us to maintain older versions, but 2.7 is probably ok for simple blacklist additions. |
cowtowncoder
changed the title
|
As per conversation it looks that this "CVE 2017-15095" does not fixed in 2.6.7.1 version . As mentioned that it is possible to backport in 2.6 as well, it would be really nice to have this for 2.6. |
|
@poverma As a volunteer-based OSS project we do not have resources to maintain large number of backported versions; and since there is no revenue it is even counter-productive to do so. More that they are supported, more users postpone upgrades. So at this point it is unlikely that 2.6 version will get more fixes, at least for polymorphic deserialization problem that only affects certain group of users, and is not a general security issue. |
|
Thanks cowtowncoder. we have tried with jackson-databind 2.9.4 version for that we have to upgrade scala minor version to 11. but there is dependency issue
|
|
Problems with Scala version compatibility are unrelated, but you might want to upgrade to As to conflict itself: that is something your build system (gradle?) would have to help with. |
|
In which release CVE-2017-15095 for jackson-databind-2.4.3 version? |
|
@samawarad please read this link - CVE-2017-15095 |
Thanks for the quick reply. We have 3 vulnerabilities reported CVE-2017-7525, CVE-2017-17485 and Can you please share me the pointers, about nearest minor version of jackson-databind where all 3 vulnerabilities are fixed? |
Can you please read the CVEs? They contain the version numbers. |
|
Locking this issue to prevent time wasting by individual developers. All information should be available; and if not, a new discussion should be created with links to whatever asker has already found (we do have issues for CVEs; Mitre et al have theirs) |
(note: follow-up for #1599)
After initial set of types blocked new reports have arrived for more black-listing.
Although eventual approach is likely to rely separate module (for more timely updates and wider version coverage), at this point addition in databind is needed.
I will update specific list of additions once complete and release is out. Target versions are
2.8.10and2.9.1-- it is possible to backport in 2.7 and even 2.6, but there is diminishing return on effort with those versions so it will not happen unless specifically requested (I'm happy to merge PRs).The text was updated successfully, but these errors were encountered: