Update com.fasterxml.jackson version to 2.8.11 #259
Conversation
|
Some details here: FasterXML/jackson-databind#1737 |
|
Is there a reason not to address the CVE in this dependency? It seems like a trivial fix (famous last words, I know) but I think we'd be happy to help if it causes regressions or there are specific tests you'd like run. |
|
This PR (updating jackson version to 2.8.11) is definitely a jackson-related security fix but should be be thought of more as a solution to: FasterXML/jackson-databind/issues/1737 ...which were released in jackson version 2.8.10. CVE-2017-7525 was almost certainly fixed for logstash in #231 (which updated jackson version to 2.8.9), although it takes digging through the comments (and links from comments) on: FasterXML/jackson-databind#1723 ...to show this. eg "Closed as duplicate of #1737". |
com.fasterxml.jackson had a security vulnerability labeled CVE-2017-15095. It was addressed in com.fasterxml.jackson versions 2.8.10 and 2.9.1 and later. This commit updates the logback encoder plugin to the latest 2.8.x version of com.fasterxml.jackson to address that.
|
@msymons updated the commit message. does that look better? |
|
Updated commit message looks great. Apologies for the delay in responding. |
|
Thanks for the contribution! For the record, logstash-logback-encoder doesn't do any deserialization of log events, so it wouldn't be affected by any deserialization security issues in jackson. And you can always use dependencyManagement to force a specific jackson version in your application. However, having said that, it's always good to keep up with the latest versions to keep those automated security scanners happy. ;) |
com.fasterxml.jackson had a security vulnerability labeled CVE-2017-15095. It was addressed in com.fasterxml.jackson versions 2.8.10 and 2.9.1 and later. This commit updates the logback encoder plugin to the latest 2.8.x version of com.fasterxml.jackson to address that.