The package com.google.code.gson:gson before 2.8.9 is vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to denial of service attacks.
Release Notes
google/gson
### [`v2.8.9`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-289)
- Make OSGi bundle's dependency on `sun.misc` optional ([https://github.com/google/gson/pull/1993](https://togithub.com/google/gson/pull/1993)).
- Deprecate `Gson.excluder()` exposing internal `Excluder` class ([https://github.com/google/gson/pull/1986](https://togithub.com/google/gson/pull/1986)).
- Prevent Java deserialization of internal classes ([https://github.com/google/gson/pull/1991](https://togithub.com/google/gson/pull/1991)).
- Improve number strategy implementation ([https://github.com/google/gson/pull/1987](https://togithub.com/google/gson/pull/1987)).
- Fix LongSerializationPolicy null handling being inconsistent with Gson ([https://github.com/google/gson/pull/1990](https://togithub.com/google/gson/pull/1990)).
- Support arbitrary Number implementation for Object and Number deserialization ([https://github.com/google/gson/pull/1290](https://togithub.com/google/gson/pull/1290)).
- Bump proguard-maven-plugin from 2.4.0 to 2.5.1 ([https://github.com/google/gson/pull/1980](https://togithub.com/google/gson/pull/1980)).
- Don't exclude static local classes ([https://github.com/google/gson/pull/1969](https://togithub.com/google/gson/pull/1969)).
- Fix `RuntimeTypeAdapterFactory` depending on internal `Streams` class ([https://github.com/google/gson/pull/1959](https://togithub.com/google/gson/pull/1959)).
- Improve Maven build ([https://github.com/google/gson/pull/1964](https://togithub.com/google/gson/pull/1964)).
- Make dependency on `java.sql` optional ([https://github.com/google/gson/pull/1707](https://togithub.com/google/gson/pull/1707)).
### [`v2.8.8`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-288)
- Fixed issue with recursive types ([https://github.com/google/gson/issues/1390](https://togithub.com/google/gson/issues/1390)).
- Better behaviour with Java 9+ and `Unsafe` if there is a security manager ([https://github.com/google/gson/pull/1712](https://togithub.com/google/gson/pull/1712)).
- `EnumTypeAdapter` now works better when ProGuard has obfuscated enum fields ([https://github.com/google/gson/pull/1495](https://togithub.com/google/gson/pull/1495)).
### [`v2.8.7`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-287)
- Fixed `ISO8601UtilsTest` failing on systems with UTC+X.
- Improved javadoc for `JsonStreamParser`.
- Updated proguard.cfg ([https://github.com/google/gson/pull/1693](https://togithub.com/google/gson/pull/1693)).
- Fixed `IllegalStateException` in `JsonTreeWriter` ([https://github.com/google/gson/issues/1592](https://togithub.com/google/gson/issues/1592)).
- Added `JsonArray.isEmpty()` ([https://github.com/google/gson/pull/1640](https://togithub.com/google/gson/pull/1640)).
- Added new test cases ([https://github.com/google/gson/pull/1638](https://togithub.com/google/gson/pull/1638)).
- Fixed OSGi metadata generation to work on JavaSE < 9 ([https://github.com/google/gson/pull/1603](https://togithub.com/google/gson/pull/1603)).
### [`v2.8.6`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-286)
*2019-10-04* [GitHub Diff](https://togithub.com/google/gson/compare/gson-parent-2.8.5...gson-parent-2.8.6)
- Added static methods `JsonParser.parseString` and `JsonParser.parseReader` and deprecated instance method `JsonParser.parse`
- Java 9 module-info support
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
2.8.5
->2.8.9
GitHub Vulnerability Alerts
CVE-2022-25647
The package
com.google.code.gson:gson
before 2.8.9 is vulnerable to Deserialization of Untrusted Data via thewriteReplace()
method in internal classes, which may lead to denial of service attacks.Release Notes
google/gson
### [`v2.8.9`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-289) - Make OSGi bundle's dependency on `sun.misc` optional ([https://github.com/google/gson/pull/1993](https://togithub.com/google/gson/pull/1993)). - Deprecate `Gson.excluder()` exposing internal `Excluder` class ([https://github.com/google/gson/pull/1986](https://togithub.com/google/gson/pull/1986)). - Prevent Java deserialization of internal classes ([https://github.com/google/gson/pull/1991](https://togithub.com/google/gson/pull/1991)). - Improve number strategy implementation ([https://github.com/google/gson/pull/1987](https://togithub.com/google/gson/pull/1987)). - Fix LongSerializationPolicy null handling being inconsistent with Gson ([https://github.com/google/gson/pull/1990](https://togithub.com/google/gson/pull/1990)). - Support arbitrary Number implementation for Object and Number deserialization ([https://github.com/google/gson/pull/1290](https://togithub.com/google/gson/pull/1290)). - Bump proguard-maven-plugin from 2.4.0 to 2.5.1 ([https://github.com/google/gson/pull/1980](https://togithub.com/google/gson/pull/1980)). - Don't exclude static local classes ([https://github.com/google/gson/pull/1969](https://togithub.com/google/gson/pull/1969)). - Fix `RuntimeTypeAdapterFactory` depending on internal `Streams` class ([https://github.com/google/gson/pull/1959](https://togithub.com/google/gson/pull/1959)). - Improve Maven build ([https://github.com/google/gson/pull/1964](https://togithub.com/google/gson/pull/1964)). - Make dependency on `java.sql` optional ([https://github.com/google/gson/pull/1707](https://togithub.com/google/gson/pull/1707)). ### [`v2.8.8`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-288) - Fixed issue with recursive types ([https://github.com/google/gson/issues/1390](https://togithub.com/google/gson/issues/1390)). - Better behaviour with Java 9+ and `Unsafe` if there is a security manager ([https://github.com/google/gson/pull/1712](https://togithub.com/google/gson/pull/1712)). - `EnumTypeAdapter` now works better when ProGuard has obfuscated enum fields ([https://github.com/google/gson/pull/1495](https://togithub.com/google/gson/pull/1495)). ### [`v2.8.7`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-287) - Fixed `ISO8601UtilsTest` failing on systems with UTC+X. - Improved javadoc for `JsonStreamParser`. - Updated proguard.cfg ([https://github.com/google/gson/pull/1693](https://togithub.com/google/gson/pull/1693)). - Fixed `IllegalStateException` in `JsonTreeWriter` ([https://github.com/google/gson/issues/1592](https://togithub.com/google/gson/issues/1592)). - Added `JsonArray.isEmpty()` ([https://github.com/google/gson/pull/1640](https://togithub.com/google/gson/pull/1640)). - Added new test cases ([https://github.com/google/gson/pull/1638](https://togithub.com/google/gson/pull/1638)). - Fixed OSGi metadata generation to work on JavaSE < 9 ([https://github.com/google/gson/pull/1603](https://togithub.com/google/gson/pull/1603)). ### [`v2.8.6`](https://togithub.com/google/gson/blob/HEAD/CHANGELOG.md#Version-286) *2019-10-04* [GitHub Diff](https://togithub.com/google/gson/compare/gson-parent-2.8.5...gson-parent-2.8.6) - Added static methods `JsonParser.parseString` and `JsonParser.parseReader` and deprecated instance method `JsonParser.parse` - Java 9 module-info supportConfiguration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.