Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issue openam#219 Upgrade Jackson library to 2.10.x #12

Merged
merged 3 commits into from
Dec 17, 2020
Merged

Issue openam#219 Upgrade Jackson library to 2.10.x #12

merged 3 commits into from
Dec 17, 2020

Conversation

DTonoki
Copy link
Contributor

@DTonoki DTonoki commented Jun 25, 2020
edited by tsujiguchitky
Loading

Analysis

openam-jp/openam#217
openam-jp/openam#219

jackson is a parsing library for Cbor.
WebAuthn Authentication module use it and older version has problem in parsing authenticatorData.

and older version has some security Issues from CVE.
*CVE-2019-17267
*CVE-2020-9547
*CVE-2020-10673
*CVE-2020-9548
*CVE-2019-14892

Solution

Upgrade jackson to 2.10.4.

Testing

Unit tests works fine.

This was referenced Jul 6, 2020
Merged
Draft
@tsujiguchitky
Copy link
Contributor

After applying the current fixes, OpenAM will now contain the following libraries.

  • jakarta.activation-api-1.2.1.jar
  • jakarta.xml.bind-api-2.3.2.jar

These are libraries provided by Jakarta EE.

And they conflict with the libraries provided by Java EE.

  • jakarta.activation-api-1.2.1.jar vs activation-1.1.jar
  • jakarta.xml.bind-api-2.3.2.jar vs jaxb-api-2.3.0.jar

This fix requires dependency adjustments.

@tsujiguchitky tsujiguchitky changed the title Issue openam#217 Upgrade jackson to new version Issue openam#219 Upgrade Jackson library to 2.10.x Jul 10, 2020
@ogis-osada ogis-osada self-requested a review December 17, 2020 04:46
@ogis-osada ogis-osada merged commit 4610fc9 into master Dec 17, 2020
@ogis-osada ogis-osada deleted the jackson-2.10.4 branch December 17, 2020 04:48
tsujiguchitky added a commit that referenced this pull request Dec 4, 2023
@DTonoki @tsujiguchitky
Issue openam#219 Upgrade Jackson library to 2.10.x (#12)
3182a5c 
* Update jackson to 2.10.4

* Use jakarta.mail to match the version of JavaBeans Activation Framework

* Match the version of JAXB API

Co-authored-by: TSUJIGUCHI Takaya <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ogis-osada ogis-osada ogis-osada approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@DTonoki @tsujiguchitky @ogis-osada