Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[2.13.x] Add check in primitive value deserializers to avoid deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS [CVE-2022-42003] #3621

Merged
merged 2 commits into from
Oct 12, 2022
Merged

[2.13.x] Add check in primitive value deserializers to avoid deep wrapper array nesting wrt UNWRAP_SINGLE_VALUE_ARRAYS [CVE-2022-42003] #3621

merged 2 commits into from
Oct 12, 2022

Conversation

rzo1
Copy link
Contributor

@rzo1 rzo1 commented Oct 11, 2022
edited
Loading

What does this PR do?

As discussed in #3590

Here is a PR with

  • a cherry pick of the related changes
  • updates release notes for a potential 2.13.4.1

@cowtowncoder @rzo1
Fix #3590
ccaabfc 
(cherry picked from commit d78d00e)
@rzo1 rzo1 mentioned this pull request Oct 11, 2022
Closed
@cowtowncoder cowtowncoder added CVE Issues related to public CVEs (security vuln reports) 2.13 labels Oct 12, 2022
@cowtowncoder
Copy link
Member

Thank you @rzo1! I'll merge this and can hopefully create a micro-patch release tomorrow.

@cowtowncoder cowtowncoder merged commit 2c4a601 into FasterXML:2.13 Oct 12, 2022
@rzo1
Copy link
Contributor Author

rzo1 commented Oct 12, 2022

Thanks for your time @cowtowncoder !

@rzo1 rzo1 deleted the 2.13 branch October 12, 2022 06:14
@rzo1 rzo1 restored the 2.13 branch October 12, 2022 06:14
@cowtowncoder
Copy link
Member

Thank you @rzo1 for making the PR -- saved time so I could get this released. And similarly with #3622 there will also be 2.12.7.1 release of databind.

@LuciferYang LuciferYang mentioned this pull request Oct 13, 2022
Closed
@jeesmon
Copy link

jeesmon commented Oct 13, 2022

https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.13.4.1 is reporting v2.13.4.1 still has CVE. Anyone know will get that get corrected through some process?

image

@rzo1
Copy link
Contributor Author

rzo1 commented Oct 13, 2022
edited
Loading

https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.13.4.1 is reporting v2.13.4.1 still has CVE. Anyone know will get that get corrected through some process?

Updating the CVE is on the way, AFAIK, see #3590 (comment)

srowen pushed a commit to apache/spark that referenced this pull request Oct 13, 2022
@LuciferYang @srowen
[SPARK-40782][BUILD] Upgrade jackson-databind to 2.13.4.1
27ca30a 
### What changes were proposed in this pull request?
This pr aims upgrade `jackson-databind` to 2.13.4.1.

### Why are the changes needed?
This is a bug fix version related to  [CVE-2022-42003]

- FasterXML/jackson-databind#3621

### Does this PR introduce _any_ user-facing change?
No

### How was this patch tested?
Pass GitHub Actions

Closes #38235 from LuciferYang/SPARK-40782.

Authored-by: yangjie01 <yangjie01@baidu.com>
Signed-off-by: Sean Owen <srowen@gmail.com>
(cherry picked from commit 2a8b2a1)
Signed-off-by: Sean Owen <srowen@gmail.com>
srowen pushed a commit to apache/spark that referenced this pull request Oct 13, 2022
@LuciferYang @srowen
[SPARK-40782][BUILD] Upgrade jackson-databind to 2.13.4.1
2a8b2a1 
### What changes were proposed in this pull request?
This pr aims upgrade `jackson-databind` to 2.13.4.1.

### Why are the changes needed?
This is a bug fix version related to  [CVE-2022-42003]

- FasterXML/jackson-databind#3621

### Does this PR introduce _any_ user-facing change?
No

### How was this patch tested?
Pass GitHub Actions

Closes #38235 from LuciferYang/SPARK-40782.

Authored-by: yangjie01 <yangjie01@baidu.com>
Signed-off-by: Sean Owen <srowen@gmail.com>
This was referenced Oct 13, 2022
Merged
Merged
This was referenced Oct 13, 2022
Merged
Merged
SandishKumarHN pushed a commit to SandishKumarHN/spark that referenced this pull request Dec 12, 2022
@LuciferYang @SandishKumarHN
[SPARK-40782][BUILD] Upgrade jackson-databind to 2.13.4.1
9ead38e 
### What changes were proposed in this pull request?
This pr aims upgrade `jackson-databind` to 2.13.4.1.

### Why are the changes needed?
This is a bug fix version related to  [CVE-2022-42003]

- FasterXML/jackson-databind#3621

### Does this PR introduce _any_ user-facing change?
No

### How was this patch tested?
Pass GitHub Actions

Closes apache#38235 from LuciferYang/SPARK-40782.

Authored-by: yangjie01 <yangjie01@baidu.com>
Signed-off-by: Sean Owen <srowen@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pjfanning pjfanning pjfanning left review comments

Assignees
No one assigned
Labels
CVE Issues related to public CVEs (security vuln reports)
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@rzo1 @cowtowncoder @jeesmon @pjfanning