Bump vulnerable dependency on jackson-mapper-asl (CVE-2019-10172)

Question

Bump vulnerable dependency on jackson-mapper-asl (CVE-2019-10172)

Opened this issue 2 years ago · 5 comments

Parseq depends on jackson-mapper-asl, which has not been updated for many years and has been since deprecated, moved to jackson-databind under FastXML.

This library has a serious CVE that can only be addressed by migrating from jackson-mapper-asl to jackson-databind module at a later version (preferably 2.13.2.2)

This ticket is for doing this migration with Parseq. Because Restli client depends on Parseq, this dependency bubbles up to anyone depending on Rest.li client as well.

Answer 1 · 2022-05-05T19:58:07.000Z

@junchuanwang do you think we can get this one prioritized?

Answer 2 · 2022-05-05T20:59:55.000Z

@jjoyce0510 do you think you can raise a PR? I will review it. My hunch is chaging the import path name ( org.codehaus.jackson vs com.fasterxml.jackson.core) is the only thing needed.

Answer 3 · 2022-09-06T08:26:18.000Z

@jjoyce0510 @junchuanwang IS this change released or do we have any ETA for this fix? We are planning to use Parseq post this fix.

Answer 4 · 2022-10-18T09:58:11.000Z

@jjoyce0510 @junchuanwang : I have made the required changes but don't have permission to push these changes or create a PR. I have attached a file containing the changes.

Can one of you please review and push these changes out ASAP?
jackson-update.txt

Answer 5 · 2022-10-25T19:05:22.000Z

@jjoyce0510 @junchuanwang : I have made the required changes but don't have permission to push these changes or create a PR. I have attached a file containing the changes.

Can one of you please review and push these changes out ASAP? jackson-update.txt

@evanw555 I think this is a safe change, can you convert this to an PR?