-
Notifications
You must be signed in to change notification settings - Fork 146
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade jackson-databind to 2.9.x for vulnerability issue #319
Comments
That ticket shows that the patch was rolled out to the 2.8.x, 2.7.x, and 2.6.x lines of development. I am running Jongo with the 2.8.x line. You should just be able to update your Jackson dependency. |
@ctrimble is right. |
True. But irrespective of whether upgrading to 2.9.x is necessary, Jongo does prevent doing so, it seems:
I haven't checked myself whether it'd be hard to fix this in a backwards-compatible manner; just to point out that this ticket has merit. |
@Stephan202 I agree that 2.9.x support needs to be added at some point, but this ticket should stay focused on providing an immediate way to resolve this vulnerability. A different ticket should be opened about supporting 2.9.x. |
Actually, I forgot that my very own colleague @philleonard fixed that issue in PR #312. Maybe we can have a release with that? :D. |
thanks @Stephan202 @ctrimble and @bguerout for the super quick response. You are right, we can use 2.8.10 to close the security issue. |
closing this as we can specify the newest jackson-databind in our project to fix the problem. I think you should consider releasing a 1.3.1 with a patched version of jackson-databind anyway to help secure projects using your library. |
Hi, why there is no 1.3.1 release yet? We updated to Jackson 2.9.2 and we are not able to use Jongo anymore. I know there is a version 1.4 pending but no release in the Maven repository. Can you provide a workaround? Thanks by advance. |
Hello you can find the release plan in milestone section of the project https://github.com/bguerout/jongo/milestones. To sump up,
|
Hello 1.3.1 and 1.4.0 have been released. 1.3.1: Jackson fixAcces(true) and Jackson update to 2.7.9 You can find more informations here: https://github.com/bguerout/jongo/releases |
jackson-databind prior to 2.9.1 have a serious remote execution bug. See FasterXML/jackson-databind#1723
We are using jongo in production and will be forced to remove it if we don't get a patched version of it soon. Is there an ETA for a new release of jongo with a newer version of jackson-databind?
The text was updated successfully, but these errors were encountered: