-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[2.13.x] Add check in primitive value deserializers to avoid deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS [CVE-2022-42003] #3621
Conversation
src/main/java/com/fasterxml/jackson/databind/deser/std/StdDeserializer.java
Outdated
Show resolved
Hide resolved
Thank you @rzo1! I'll merge this and can hopefully create a micro-patch release tomorrow. |
Thanks for your time @cowtowncoder ! |
https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.13.4.1 is reporting v2.13.4.1 still has CVE. Anyone know will get that get corrected through some process? |
Updating the CVE is on the way, AFAIK, see #3590 (comment) |
### What changes were proposed in this pull request? This pr aims upgrade `jackson-databind` to 2.13.4.1. ### Why are the changes needed? This is a bug fix version related to [CVE-2022-42003] - FasterXML/jackson-databind#3621 ### Does this PR introduce _any_ user-facing change? No ### How was this patch tested? Pass GitHub Actions Closes #38235 from LuciferYang/SPARK-40782. Authored-by: yangjie01 <yangjie01@baidu.com> Signed-off-by: Sean Owen <srowen@gmail.com> (cherry picked from commit 2a8b2a1) Signed-off-by: Sean Owen <srowen@gmail.com>
### What changes were proposed in this pull request? This pr aims upgrade `jackson-databind` to 2.13.4.1. ### Why are the changes needed? This is a bug fix version related to [CVE-2022-42003] - FasterXML/jackson-databind#3621 ### Does this PR introduce _any_ user-facing change? No ### How was this patch tested? Pass GitHub Actions Closes #38235 from LuciferYang/SPARK-40782. Authored-by: yangjie01 <yangjie01@baidu.com> Signed-off-by: Sean Owen <srowen@gmail.com>
### What changes were proposed in this pull request? This pr aims upgrade `jackson-databind` to 2.13.4.1. ### Why are the changes needed? This is a bug fix version related to [CVE-2022-42003] - FasterXML/jackson-databind#3621 ### Does this PR introduce _any_ user-facing change? No ### How was this patch tested? Pass GitHub Actions Closes apache#38235 from LuciferYang/SPARK-40782. Authored-by: yangjie01 <yangjie01@baidu.com> Signed-off-by: Sean Owen <srowen@gmail.com>
What does this PR do?
As discussed in #3590
Here is a PR with