Skip to content

Upgrade to Jackson 2.11.1 #503

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 5, 2020
Merged

Upgrade to Jackson 2.11.1 #503

merged 2 commits into from
Jul 5, 2020

Conversation

joschi
Copy link
Contributor

@joschi joschi commented Jun 29, 2020
edited
Loading

Context

Jackson 2.9.x had and still gets a lot of CVEs because of how it handles deserialization of polymorphic types.

This has been fixed in Jackson 2.10.x and 2.11.x, so upgrading will safe this project from (unnecessary) security alerts.

Additionally, explicitly block unsafe polymorphic base types with Jackson, just in case. 😉

Refs #489
Closes #500
Refs #501

Contributor Checklist

  • Ensured that tests pass locally: mvn clean package
  • Ensured that the code meets the current checkstyle coding style definition: mvn clean verify -Pcheckstyle -Dmaven.test.skip=true -B

joschi added 2 commits June 29, 2020 10:40
@joschi
Upgrade to Jackson 2.11.1
7c404c5 
Jackson 2.9.x had and still gets a lot of CVEs because of how it handles
deserialization of polymorphic types.

This has been fixed in Jackson 2.10.x and 2.11.x, so upgrading will safe
this project from (unnecessary) security alerts.

* https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
* https://medium.com/@cowtowncoder/jackson-2-10-safe-default-typing-2d018f0ce2ba
@joschi
Block unsafe polymorphic base types with Jackson
5c9a5d0
@TheSnoozer
Copy link
Collaborator

Thanks! Looks better than the one of #500. I certainly need more time to decide for https://github.com/git-commit-id/git-commit-id-maven-plugin/pull/501....so let me go ahead and merge already.

@TheSnoozer TheSnoozer merged commit 65250ba into git-commit-id:master Jul 5, 2020
@TheSnoozer TheSnoozer added this to the 4.0.1 milestone Jul 5, 2020
@TheSnoozer TheSnoozer added the dependencies Pull requests that update a dependency file label Jul 5, 2020
@joschi joschi deleted the jackson-2.11 branch July 5, 2020 18:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file enhancement

Projects

None yet

Milestone

4.0.1

Development

Successfully merging this pull request may close these issues.

2 participants

@joschi @TheSnoozer