Update restlet.ext.jackson - CVE-2016-7051

[philippeu]

jackson restlet extension is using jackson-dataformat-xml:2.4.4 on which a CVE has been issued https://nvd.nist.gov/vuln/detail/CVE-2016-7051

[Tembrel]

Here's a good summary: FasterXML/jackson-core#371

There are links to related Jackson issues. The easiest workaround is to disable SUPPORT_DTD and expansion of external parsed general entities.

[thboileau]

thanks a lot @philippeu and @Tembrel for reporting the issue and links!
I have a look

[Tembrel]

Updating the dependency might cause problems for some people. Specifically, I have been stuck on Jackson 2.5.3 for a while, because every time I try to use a later version, something breaks in my serialization. It's a compatibility problem unrelated to the security issue, and it's something I'll need to fix eventually, but if you force me now to use Jackson 2.8.8, I'll have to find some way to defeat the dependency (or just not move to the next release of Restlet).

I think this can be addressed instead by documentation, without code or dependency changes. The important point is that external entity support should be disabled by default (and it is, see here and here), and that users be warned that enabling it has risks as described in CVE-2016-7051 and CVE-2016-3270.

[qsiebers]

Is this not fixed in 2.4.1?

Upgraded Jackson dependency to 2.9.6 in order to prevent security issues ...