Apache/druid
1
0
Fork 0
mirror of https://github.com/apache/druid.git synced 2025-02-20 00:47:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

Upgrade Jackson and Google GSON to address CVEs (#15461)

Browse Source 
Upgrade Jackson to version 2.12.7.1 to address CVE-2022-42003, CVE-2022-42004 which affects jackson-databind.
Upgrade com.google.code.gson:gson from 2.2.4 to the latest version (2.10.1) since 2.2.4 is affected by CVE-2022-25647.
This commit is contained in:
Keerthana Srikanth 2023-11-30 15:31:26 +05:30 committed by GitHub
parent 8ddb847658
commit 7467d2c00d
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 4 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
licenses.yaml
View File

@ -289,7 +289,7 @@ name: Jackson
license_category: binary license_category: binary
module: java-core module: java-core
license_name: Apache License version 2.0 license_name: Apache License version 2.0
version: 2.12.7 version: 2.12.7.1
libraries: libraries:
- com.fasterxml.jackson.core: jackson-databind - com.fasterxml.jackson.core: jackson-databind
notice: | notice: |
@ -2500,7 +2500,7 @@ name: Gson
license_category: binary license_category: binary
module: hadoop-client module: hadoop-client
license_name: Apache License version 2.0 license_name: Apache License version 2.0
version: 2.2.4 version: 2.10.1
libraries: libraries:
- com.google.code.gson: gson - com.google.code.gson: gson

16
owasp-dependency-check-suppressions.xml
View File

@ -71,22 +71,6 @@
<cve>CVE-2022-45688</cve> <cve>CVE-2022-45688</cve>
</suppress> </suppress>
<suppress>
<!--
the suppressions here aren't currently applicable, but can be resolved once we update the version
-->
<notes><![CDATA[
file name: jackson-databind-2.10.5.1.jar
]]></notes>
<packageUrl regex="true">^pkg:maven/com\.fasterxml\.jackson\.core/jackson\-databind@.*$</packageUrl>
<!-- CVE-2022-42003 and CVE-2022-42004 are related to UNWRAP_SINGLE_VALUE_ARRAYS which we do not use
https://nvd.nist.gov/vuln/detail/CVE-2022-42003
https://nvd.nist.gov/vuln/detail/CVE-2022-42004
-->
<cve>CVE-2022-42003</cve>
<cve>CVE-2022-42004</cve>
</suppress>
<suppress> <suppress>
<!-- Pulled in by io.kubernetes:client-java and kafka_2.13 but not fixed in either place yet --> <!-- Pulled in by io.kubernetes:client-java and kafka_2.13 but not fixed in either place yet -->
<!-- jose4j before v0.9.3 allows attackers to set a low iteration count of 1000 or less --> <!-- jose4j before v0.9.3 allows attackers to set a low iteration count of 1000 or less -->

4
pom.xml
View File

@ -78,7 +78,7 @@
<apache.curator.version>5.5.0</apache.curator.version> <apache.curator.version>5.5.0</apache.curator.version>
<apache.kafka.version>3.6.0</apache.kafka.version> <apache.kafka.version>3.6.0</apache.kafka.version>
<apache.ranger.version>2.4.0</apache.ranger.version> <apache.ranger.version>2.4.0</apache.ranger.version>
<apache.ranger.gson.version>2.2.4</apache.ranger.gson.version> <apache.ranger.gson.version>2.10.1</apache.ranger.gson.version>
<scala.library.version>2.13.11</scala.library.version> <scala.library.version>2.13.11</scala.library.version>
<avatica.version>1.23.0</avatica.version> <avatica.version>1.23.0</avatica.version>
<avro.version>1.11.3</avro.version> <avro.version>1.11.3</avro.version>
@ -98,7 +98,7 @@
<hamcrest.version>1.3</hamcrest.version> <hamcrest.version>1.3</hamcrest.version>
<jetty.version>9.4.53.v20231009</jetty.version> <jetty.version>9.4.53.v20231009</jetty.version>
<jersey.version>1.19.4</jersey.version> <jersey.version>1.19.4</jersey.version>
<jackson.version>2.12.7</jackson.version> <jackson.version>2.12.7.20221012</jackson.version>
<codehaus.jackson.version>1.9.13</codehaus.jackson.version> <codehaus.jackson.version>1.9.13</codehaus.jackson.version>
<log4j.version>2.18.0</log4j.version> <log4j.version>2.18.0</log4j.version>
<mysql.version>5.1.49</mysql.version> <mysql.version>5.1.49</mysql.version>