(2.6) Backport all CVE fixes up to CVE-2021-20190 #3087
Conversation
|
Sounds reasonable, thank you again! |
|
Thank you guys for porting the CVEs. May I know the release date of 2.6.7.5? |
|
There are no current plans for further 2.6.7.x micro-patch releases. AWS SDK Java client is finally upgrading to Jackson 2.12 which should drastically remove the need. |
|
I checked the https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.6.7.x and did not see CVE-2018-7489 in the list. I want to confirm that has been ported to any 2.6.7.x release because the respective ticket #1931 has been closed. |
|
@lowchinwei Feel free to check in commits to 2.6 branch to confirm. It is possible that @millems did merge patch for that: Wiki would only contain information on released fixes. As to #1931 closure: that just means that a fix had been committed to a branch; not that it had been released in any particular branch (although I do try to add notes to issues to indicate that part too -- however, issue closing is not synchronized with version releases). |
|
I checked the following code change in the commit for 2.6.7.4 74aba40 |
|
Looks like change for 1931: did refactor things. 2.6 does not have Given this it is likely that CVE-2018-7489 is not fixed by any 2.6.x version. |
|
Correct. |
Motivation: Jackson-2.6 is still widely used, despite being deprecated (including in the AWS SDK for Java 1.11.x). Until those consumers can migrate to a supported version of Jackson-2.6, this patch will protect those customers from the CVEs currently open against 2.6.7.4.
We're not asking that these changes be released, because we understand that it takes time and effort. Regardless, we wanted to offer these changes upstream.
A similar change was made as part of 2.6.7.4 with similar motivation: #2864