search

Yubico / java-webauthn-server

Server-side Web Authentication library for Java https://www.w3.org/TR/webauthn/#rp-operations
Other
469 stars 143 forks source link

Update jackson deps to the latest version #176

Closed slunker closed 2 years ago

slunker commented 2 years ago

Update jackson-databind to 2.13.2.1 as it fixes CVE-2020-36518. For this version of jackson-databind it was necessary to use a different bom - see https://github.com/FasterXML/jackson-databind/issues/3428

The jackson-databind issue describing the CVE is here: https://github.com/FasterXML/jackson-databind/issues/2816

emlun commented 2 years ago

Thanks!

slunker commented 2 years ago

no problem. Any idea when is this going to be released?

emlun commented 2 years ago

Likely next week when we put out a 1.12.3-RC2 with some deprecation notes for features being removed in the upcoming 2.0 release.

But note that the library states dependencies by version ranges, and this version bump is just the lower bound. Downstream projects can (and should) also add their own version constraints to account for vulnerabilities, and don't have to wait for their dependencies to do so (unless upstream dependencies have incompatible version constraints, of course, which is why we state them as ranges).

travisspencer commented 2 years ago

We upgraded before this, @emlun , as you say. The issue is that Jackson databind makes breaking changes between minors, we've heard it said. So, we were a bit leery to make that bump. We wanted to be sure that the version passed all of the project's tests and looks good from the maintainers' PoV. We also wanted to be good OSS users and contribute back, even if it was small.

emlun commented 2 years ago

@slunker This is now out in pre-release 1.12.3-RC2. Our usual procedure is to let RC releases sit for about 2 weeks before promoting them to a non-RC release.

@travisspencer I see, thank you for contributing! (I assume you are affiliated with @slunker?)

travisspencer commented 2 years ago

We (@slunker , me and the rest of the Curity crew) are fixing a few other issues ATM, @emlun. Maybe we can do some testing before the RC is released. Can you switch us to this new version, @daniellindau, and see if you hit any problems?

travisspencer commented 2 years ago

BTW, @daniellindau told me yesterday, @emlun , that we've switched to the RC2 build. We'll report in errors to the issue tracker if any arise.