Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security - CVE-2017-17485 & CVE-2018-5968 on Jackson dependency #327

Closed
cdanger opened this issue Feb 16, 2018 · 3 comments
Closed

Security - CVE-2017-17485 & CVE-2018-5968 on Jackson dependency #327

cdanger opened this issue Feb 16, 2018 · 3 comments
Milestone
1.4.0

Comments

@cdanger
Copy link
Contributor

cdanger commented Feb 16, 2018
edited
Loading

Hello,
running owasp dependendency-check on a project using jongo will cause the error below because jongo uses a version of jackon-databind affected by CVE-2017-17485 & CVE-2018-5968.

[ERROR] Failed to execute goal org.owasp:dependency-check-maven:3.0.2:check (default) on project authzforce-ce-core-pdp-testutils: 
[ERROR] 
[ERROR] One or more dependencies were identified with vulnerabilities: 
[ERROR] 
[ERROR] jackson-databind-2.7.3.jar: CVE-2017-17485, CVE-2018-5968
@cdanger cdanger mentioned this issue Feb 16, 2018
Merged
@cdanger
Copy link
Contributor Author

cdanger commented Feb 16, 2018

see the mentioned pull request for the fix

cdanger added a commit to authzforce/core that referenced this issue Feb 16, 2018
@cdanger
Fix for Jongo 1.3.0 depending on Jackson-databind 2.7.3 which is affe…
d09f861 
…cted by CVE:

           https://nvd.nist.gov/vuln/detail/CVE-2018-5968
        The issue and pull request has been submitted to Jongo project, but not yet part of a release:
        bguerout/jongo#327
In the meantime, the fix is to force version of dependency jackson-databind to 2.9.4.
@cdanger cdanger mentioned this issue Feb 16, 2018
Closed
@cdanger
Copy link
Contributor Author

cdanger commented Mar 4, 2018

Hello, I can see that the fixing PR #326 is now merged and planned to be part of milestone 1.4.0, but there are still a few open issues planned as well, blocking the release. Could you to do a hotfix release in the meantime (to have this security fix part of the release)? Thank you.

@bguerout bguerout added this to the 1.4.0 milestone Mar 26, 2018
@bguerout
Copy link
Owner

Hello 1.3.1 and 1.4.0 have been released.

1.3.1: Jackson fixAcces(true) and Jackson update to 2.7.9
1.4.0: Jackson and bson4jackson updated to 2.9.x and enhancement of Jongo classes extensibility

You can find more informations here: https://github.com/bguerout/jongo/releases

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.4.0
Development

No branches or pull requests
2 participants
@bguerout @cdanger