From 86efe39afd825baceb73750baa89ad93d4824a48 Mon Sep 17 00:00:00 2001 From: Patrik Nordwall Date: Thu, 11 Jul 2019 13:51:05 +0200 Subject: [PATCH] Update to Jackson databind 2.9.9.1 to fix CVE-2019-12384 and CVE-2019-12814 * Block gadget type for CVE-2019-12384 * Block gadget type CVE-2019-12814 * new classes blocked in SubTypeValidator.DEFAULT_NO_DESER_CLASS_NAMES, which we use from Akka so updating the dependency is enough --- project/Dependencies.scala | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/project/Dependencies.scala b/project/Dependencies.scala index 865b96159a..4f1c9a0a91 100644 --- a/project/Dependencies.scala +++ b/project/Dependencies.scala @@ -23,6 +23,7 @@ object Dependencies { val agronaVersion = "1.0.1" val nettyVersion = "3.10.6.Final" val jacksonVersion = "2.9.9" + val jacksonDatabindVersion = "2.9.9.1" val scala212Version = "2.12.8" val scala213Version = "2.13.0" @@ -87,7 +88,7 @@ object Dependencies { val jacksonCore = "com.fasterxml.jackson.core" % "jackson-core" % jacksonVersion // ApacheV2 val jacksonAnnotations = "com.fasterxml.jackson.core" % "jackson-annotations" % jacksonVersion // ApacheV2 - val jacksonDatabind = "com.fasterxml.jackson.core" % "jackson-databind" % jacksonVersion // ApacheV2 + val jacksonDatabind = "com.fasterxml.jackson.core" % "jackson-databind" % jacksonDatabindVersion // ApacheV2 val jacksonJdk8 = "com.fasterxml.jackson.datatype" % "jackson-datatype-jdk8" % jacksonVersion // ApacheV2 val jacksonJsr310 = "com.fasterxml.jackson.datatype" % "jackson-datatype-jsr310" % jacksonVersion // ApacheV2 val jacksonScala = "com.fasterxml.jackson.module" %% "jackson-module-scala" % jacksonVersion // ApacheV2