Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update jackson-databind to 2.8.11.4 #49347

Merged
merged 3 commits into from
Dec 6, 2019
Merged

Update jackson-databind to 2.8.11.4 #49347

merged 3 commits into from
Dec 6, 2019

Conversation

racevedoo
Copy link
Contributor

Upgrade to 2.8.11.4 for security reasons. From jackson release notes:

image

@racevedoo racevedoo mentioned this pull request Nov 19, 2019
Open
@cbuescher cbuescher added :Data Management/Ingest Node Execution or management of Ingest Pipelines including GeoIP :Delivery/Build Build or test infrastructure labels Nov 20, 2019
@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-core-features (:Core/Features/Ingest)

@elasticmachine
Copy link
Collaborator

Pinging @elastic/es-core-infra (:Core/Infra/Build)

@cbuescher
Copy link
Member

Maybe related: #45225

@davydotcom
Copy link

any update on this? This is holding up closing critical CVEs for highly secure environments

@davydotcom
Copy link

I was able to merge this into 7.4.2 tag branch and build myself and verify functionality works. I'd happily live with building my own non snapshot 7.4.2 with this fix but it wants a license key for xpack to do that

@jakelandis jakelandis self-requested a review December 5, 2019 19:04
@jakelandis jakelandis removed the discuss label Dec 5, 2019
@jakelandis
Copy link
Contributor

@elasticmachine ok to test

@jakelandis
Copy link
Contributor

@elasticmachine update branch

@jakelandis
Copy link
Contributor

@racevedoo thanks for the PR. I updated the SHA hashes and will get this merged and backported.

FWIW, it does not appear that Elasticsearch is susceptible to any of the CVEs referenced.

@jakelandis jakelandis merged commit 2e84e83 into elastic:master Dec 6, 2019
@jakelandis jakelandis mentioned this pull request Dec 6, 2019
Merged
jakelandis pushed a commit to jakelandis/elasticsearch that referenced this pull request Dec 6, 2019
@racevedoo @jakelandis
Update jackson-databind to 2.8.11.4 (elastic#49347)
805d360
@jakelandis jakelandis mentioned this pull request Dec 6, 2019
Merged
jakelandis pushed a commit to jakelandis/elasticsearch that referenced this pull request Dec 6, 2019
@racevedoo @jakelandis
Update jackson-databind to 2.8.11.4 (elastic#49347)
4481b1a
@davydotcom
Copy link

Yay Thanks. While it may not be susceptible, it still shows up on a scan for CAT 1 level security issues. This can cause immediate rejection even if the software is not vulnerable directly.

jakelandis pushed a commit to jakelandis/elasticsearch that referenced this pull request Dec 6, 2019
@racevedoo @jakelandis
Update jackson-databind to 2.8.11.4 (elastic#49347)
b229092
@jakelandis jakelandis mentioned this pull request Dec 6, 2019
Closed
jakelandis added a commit that referenced this pull request Dec 6, 2019
@jakelandis
Update jackson-databind to 2.8.11.4 (#49347) (#49937)
1c5a139
jakelandis added a commit that referenced this pull request Dec 6, 2019
@jakelandis @racevedoo
[7.5] Update jackson-databind to 2.8.11.4 (#49347) (#49938)
8361ee3 
Co-authored-by: Rafael Acevedo <[email protected]>
SivagurunathanV pushed a commit to SivagurunathanV/elasticsearch that referenced this pull request Jan 23, 2020
@racevedoo @SivagurunathanV
Update jackson-databind to 2.8.11.4 (elastic#49347)
261b57c
@ywelsch
Copy link
Contributor

ywelsch commented Feb 27, 2020

The backport PR seems to have been merged. I'm therefore removing the backport pending label here. Please shout if this is incorrect

@jakelandis jakelandis removed the v6.8.6 label Jun 10, 2020
@mark-vieira mark-vieira added the Team:Delivery Meta label for Delivery team label Nov 11, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jakelandis jakelandis Awaiting requested review from jakelandis

Assignees
No one assigned
Labels
:Data Management/Ingest Node Execution or management of Ingest Pipelines including GeoIP :Delivery/Build Build or test infrastructure Team:Delivery Meta label for Delivery team v7.5.1 v7.6.0 v8.0.0-alpha1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@racevedoo @elasticmachine @cbuescher @davydotcom @jakelandis @ywelsch @mark-vieira