Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update jackson-databind, bcprov-jdk15on, commons-compress #304

Merged
merged 1 commit into from
Feb 7, 2022

Conversation

julianladisch
Copy link

Update com.fasterxml.jackson.core:jackson-databind from 2.7.0 to 2.13.1
fixing security vulnerabilities:
https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.7.0

Update org.bouncycastle:bcprov-jdk15on from 1.52 to 1.70
fixing security vulnerabilities:
https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on/1.52

Update org.apache.commons:commons-compress from 1.9 to 1.21
fixing security vulnerabilities:
https://mvnrepository.com/artifact/org.apache.commons/commons-compress/1.9

I haven't checked whether allure-jenkins-plugin is affected; however,
the update will at least fix false positive reports from various
security vulnerability scanners.

Fixes #287.

  • Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
  • Ensure that the pull request title represents the desired changelog entry
  • Please describe what you did
  • Link to relevant issues in GitHub or Jira
  • Link to relevant pull requests, esp. upstream and downstream changes
  • Ensure you have provided tests - that demonstrates feature works or fixes the issue

I don't provide tests because it is not my task to create exploits for all vulnerabilities. Please consult the repositories of the dependencies to validate whether their fix actually fixes the vulnerability and whether they have added a test for each vulnerability.

Update com.fasterxml.jackson.core:jackson-databind from 2.7.0 to 2.13.1
fixing security vulnerabilities:
https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.7.0

Update org.bouncycastle:bcprov-jdk15on from 1.52 to 1.70
fixing security vulnerabilities:
https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on/1.52

Update org.apache.commons:commons-compress from 1.9 to 1.21
fixing security vulnerabilities:
https://mvnrepository.com/artifact/org.apache.commons/commons-compress/1.9

I haven't checked whether allure-jenkins-plugin is affected; however,
the update will at least fix false positive reports from various
security vulnerabilitiy scanners.

Fixes jenkinsci#287.
@eroshenkoam eroshenkoam merged commit 6cdf1d7 into jenkinsci:master Feb 7, 2022
@julianladisch julianladisch deleted the update-dependencies branch February 7, 2022 08:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Update jackson-databind version due to security vulnerabilities
2 participants