Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update com.fasterxml.jackson version to 2.8.11 #259

Merged
merged 1 commit into from
Feb 9, 2018
Merged

Update com.fasterxml.jackson version to 2.8.11 #259

merged 1 commit into from
Feb 9, 2018

Conversation

haus
Copy link
Contributor

@haus haus commented Jan 2, 2018

com.fasterxml.jackson had a security vulnerability labeled CVE-2017-15095. It was addressed in com.fasterxml.jackson versions 2.8.10 and 2.9.1 and later. This commit updates the logback encoder plugin to the latest 2.8.x version of com.fasterxml.jackson to address that.

@haus
Copy link
Contributor Author

haus commented Jan 2, 2018

@justinstoller
Copy link

Is there a reason not to address the CVE in this dependency?

It seems like a trivial fix (famous last words, I know) but I think we'd be happy to help if it causes regressions or there are specific tests you'd like run.

@msymons
Copy link
Contributor

msymons commented Jan 19, 2018

This PR (updating jackson version to 2.8.11) is definitely a jackson-related security fix but should be be thought of more as a solution to:

FasterXML/jackson-databind/issues/1737
FasterXML/jackson-databind/issues/1680

...which were released in jackson version 2.8.10.

CVE-2017-7525 was almost certainly fixed for logstash in #231 (which updated jackson version to 2.8.9), although it takes digging through the comments (and links from comments) on:

FasterXML/jackson-databind#1723

...to show this. eg "Closed as duplicate of #1737".

com.fasterxml.jackson had a security vulnerability labeled
CVE-2017-15095. It was addressed in com.fasterxml.jackson versions
2.8.10 and 2.9.1 and later. This commit updates the logback encoder
plugin to the latest 2.8.x version of com.fasterxml.jackson to address
that.
@haus
Copy link
Contributor Author

haus commented Jan 19, 2018

@msymons updated the commit message. does that look better?

@msymons
Copy link
Contributor

msymons commented Jan 23, 2018

Updated commit message looks great.

Apologies for the delay in responding.

@philsttr philsttr merged commit b7b7634 into logfellow:master Feb 9, 2018
@philsttr
Copy link
Collaborator

philsttr commented Feb 9, 2018

Thanks for the contribution!

For the record, logstash-logback-encoder doesn't do any deserialization of log events, so it wouldn't be affected by any deserialization security issues in jackson.

And you can always use dependencyManagement to force a specific jackson version in your application.

However, having said that, it's always good to keep up with the latest versions to keep those automated security scanners happy. ;)

@philsttr philsttr added this to the 5.0 milestone Feb 19, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants