twitter / finatra

Fast, testable, Scala services built on TwitterServer and Finagle
https://twitter.github.io/finatra/
Apache License 2.0
2.28k stars 409 forks source link

finatra: Fix Jackson Databind vulnerabilities #526

Closed kittsville closed 4 years ago

kittsville commented 4 years ago

Problem

Jackson Databind has multiple critical vulnerabilities:

Solution

Upgrade Jackson Databind to the latest supported version. Version 2.10.X can't be used yet, see #511

Result

Finatra is no longer vulnerable to 2 of the vulnerabilities. Once 2.9.10.4 is released another PR can be raised to fix:

CLAassistant commented 4 years ago

CLA assistant check
All committers have signed the CLA.

codecov[bot] commented 4 years ago

Codecov Report

Merging #526 into develop will not change coverage by %. The diff coverage is n/a.

Impacted file tree graph

@@           Coverage Diff            @@
##           develop     #526   +/-   ##
========================================
  Coverage    91.76%   91.76%           
========================================
  Files          267      267           
  Lines         4763     4763           
  Branches       284      284           
========================================
  Hits          4371     4371           
  Misses         392      392           

Continue to review full report at Codecov.

Legend - Click here to learn more Δ = absolute <relative> (impact), ø = not affected, ? = missing data Powered by Codecov. Last update d874b1a...d6d8086. Read the comment docs.

cacoco commented 4 years ago

Finatra has been updated to Jackson 2.11 in e265ba87c5ff6cecc88b65dd050e0cf1a23df698. This should be in the next release, 20.5.0.