Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[qZZ3O2uX] Updates jackson-databind to fix CVE-2020-36518, CVE-2022-42004, CVE-2022-42003 #3409

Merged
merged 1 commit into from
Jan 20, 2023
Merged

[qZZ3O2uX] Updates jackson-databind to fix CVE-2020-36518, CVE-2022-42004, CVE-2022-42003 #3409

merged 1 commit into from
Jan 20, 2023

Conversation

gem-neo4j
Copy link
Contributor

vuln-fix: Update dependencies which import jackson-databind that had the following vulnerabilities: CVE-2020-36518, CVE-2022-42004, CVE-2022-42003.

@gem-neo4j gem-neo4j added dependencies Pull requests that update a dependency file 4.4 team-cypher-surface Cypher Surface team should review the PR labels Jan 17, 2023
@Lojjs Lojjs self-assigned this Jan 18, 2023
@gem-neo4j gem-neo4j force-pushed the 4.4_update_jackson_bind_dependencies branch from 4f61166 to cf604ac Compare January 18, 2023 10:13
Lojjs
Lojjs reviewed Jan 20, 2023
View reviewed changes
core/build.gradle
@@ -118,8 +118,8 @@ dependencies {
testCompile 'org.mock-server:mockserver-netty:5.13.0'
testCompile 'org.mock-server:mockserver-client-java:5.13.0'

compileOnly group: 'com.amazonaws', name: 'aws-java-sdk-comprehend', version: '1.12.214' , withoutJacksons
testImplementation group: 'com.amazonaws', name: 'aws-java-sdk-comprehend', version: '1.12.214' , withoutJacksons
compileOnly group: 'com.amazonaws', name: 'aws-java-sdk-comprehend', version: '1.12.353' , withoutJacksons
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to the changelog https://github.com/aws/aws-sdk-java/blob/master/CHANGELOG.md I think this was fixed in 1.12.322, but SNYK suggest to update to the latest version, which as of yesterday is 1.12.388. Any particular reason why you upgraded to specifically 1.12.353? I think in general the newest stable version which has the fix in it and work with our other dependencies would be good

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because the absolute latest version will introduce a breaking change for us. In AWS Entity (https://github.com/aws/aws-sdk-java/blob/master/aws-java-sdk-comprehend/src/main/java/com/amazonaws/services/comprehend/model/Entity.java#L79) a new field was introduced. APOC returns this whole structure in some of the procedures, which means a new field would be added, it didn't feel worth it to update for this tbh especially as it is in extended. So the bump fixes the databind issues, and doesn't introduce new behaviour :)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see, that makes sense

Lojjs
Lojjs approved these changes Jan 20, 2023
View reviewed changes
Copy link
Contributor

@Lojjs Lojjs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great job, thanks!

@gem-neo4j gem-neo4j merged commit 58366c4 into 4.4 Jan 20, 2023
@gem-neo4j gem-neo4j deleted the 4.4_update_jackson_bind_dependencies branch January 20, 2023 12:23
vga91 added a commit that referenced this pull request Jan 26, 2023
@vga91
[qZZ3O2uX] Updates jackson-databind to fix CVE-2020-36518, CVE-2022-4…
efa64e9 
…2004, CVE-2022-42003 (#3409)
vga91 added a commit that referenced this pull request Jan 26, 2023
@vga91
[qZZ3O2uX] Updates jackson-databind to fix CVE-2020-36518, CVE-2022-4…
c1c53c3 
…2004, CVE-2022-42003 (#3409)
vga91 added a commit that referenced this pull request Jan 30, 2023
@vga91
[qZZ3O2uX] Updates jackson-databind to fix CVE-2020-36518, CVE-2022-4…
fde69c7 
…2004, CVE-2022-42003 (#3409)
conker84 pushed a commit that referenced this pull request Jan 30, 2023
@vga91
[NOID] Cherry picks from 4.4 to 5.4 (#3424)
7d8c34d 
* [qZZ3O2uX] Updates jackson-databind to fix CVE-2020-36518, CVE-2022-42004, CVE-2022-42003 (#3409)

* [H10zCpAQ] Fix CWE-73: Added check to prevent reading from outside metrics directory (#3245)
vga91 added a commit that referenced this pull request Jan 31, 2023
@vga91
[qZZ3O2uX] Updates jackson-databind to fix CVE-2020-36518, CVE-2022-4…
4062475 
…2004, CVE-2022-42003 (#3409)
vga91 added a commit that referenced this pull request Jan 31, 2023
@vga91
[qZZ3O2uX] Updates jackson-databind to fix CVE-2020-36518, CVE-2022-4…
bae41cd 
…2004, CVE-2022-42003 (#3409)
vga91 added a commit that referenced this pull request Apr 28, 2023
@vga91
[qZZ3O2uX] Updates jackson-databind to fix CVE-2020-36518, CVE-2022-4…
57881d7 
…2004, CVE-2022-42003 (#3409)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Lojjs Lojjs Lojjs approved these changes

Assignees

@Lojjs Lojjs

Labels
4.4 dependencies Pull requests that update a dependency file team-cypher-surface Cypher Surface team should review the PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@gem-neo4j @Lojjs