Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Block one more gadget type (HikariCP, CVE-2019-14439 / CVE-2019-16335) #2449

Closed
cowtowncoder opened this issue Sep 10, 2019 · 3 comments
Closed

Block one more gadget type (HikariCP, CVE-2019-14439 / CVE-2019-16335) #2449

cowtowncoder opened this issue Sep 10, 2019 · 3 comments
Labels
CVE Issues related to public CVEs (security vuln reports)
Milestone
2.9.10

Comments

@cowtowncoder
Copy link
Member

cowtowncoder commented Sep 10, 2019
edited
Loading

Another gadget (*) type report regarding HikariConfig (sub-class of HikariDataSource)

Mitre id: CVE-2019-14439
Reporter: kingkk

Fixed in:

  • 2.9.10
  • 2.8.11.5
  • 2.6.7.3
  • does not affect 2.10.0 and later

(*) See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for more on general problem type
@cowtowncoder cowtowncoder added 2.9 CVE Issues related to public CVEs (security vuln reports) labels Sep 10, 2019
@cowtowncoder cowtowncoder mentioned this issue Sep 10, 2019
Closed
@cowtowncoder cowtowncoder added this to the 2.9.10 milestone Sep 12, 2019
@cowtowncoder
Copy link
Member Author

Blocked added in 2.9 to be included in 2.9.10. Also backport in 2.8 branch but uncertain if new micro-patch will be released (but if it is, that'd be 2.8.11.5)

@louro11
Copy link

louro11 commented Sep 16, 2019
edited
Loading

This was assigned as CVE-2019-16335.

Edit: This was referenced here: https://nvd.nist.gov/vuln/detail/CVE-2019-16335 @cowtowncoder

@cowtowncoder cowtowncoder changed the title Block one more gadget type (no CVE allocated yet) Block one more gadget type (HikariCP, CVE-2019-14439) Sep 16, 2019
@cowtowncoder
Copy link
Member Author

@louro11 That is weird. Original reported CVE-2019-14439. Looking at CVE ID you gave seems to be for #2410, but that, too, already has different id.

marco-schmidt added a commit to marco-schmidt/am that referenced this issue Sep 18, 2019
@marco-schmidt
upgrade jackson-databind because of security issues
9a566b5 
CVE-2019-16335 FasterXML/jackson-databind#2449
CVE-2019-14540 FasterXML/jackson-databind#2410
@cowtowncoder cowtowncoder changed the title Block one more gadget type (HikariCP, CVE-2019-14439) Block one more gadget type (HikariCP, CVE-2019-14439 / CVE-2019-16335) Sep 20, 2019
@jdelta-RBS jdelta-RBS mentioned this issue Sep 24, 2019
Closed
@iperdomo iperdomo mentioned this issue Oct 22, 2019
Closed
iperdomo added a commit to iperdomo/cheshire that referenced this issue Oct 22, 2019
@iperdomo
[dakrone#155] Update Jackson to 2.9.10
473e93a 
FasterXML/jackson-databind#2410
FasterXML/jackson-databind#2449
@iperdomo iperdomo mentioned this issue Oct 22, 2019
Closed
ablekhman added a commit to atlassian/jackson-1 that referenced this issue Oct 23, 2019
@ablekhman
Block one more gadget type (HikariCP, CVE-2019-14439 / CVE-2019-16335)
0e47495 
Merged from FasterXML/jackson-databind#2449
Merged
4 tasks
This was referenced May 10, 2022
Open
Open
@scott-cx scott-cx mentioned this issue Aug 1, 2022
Open
@cxronen cxronen mentioned this issue Sep 20, 2022
Open
@margaritalm margaritalm mentioned this issue Dec 25, 2022
Open
This was referenced Feb 15, 2023
Open
Open
@cxronen cxronen mentioned this issue May 25, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CVE Issues related to public CVEs (security vuln reports)
Projects
None yet
Milestone
2.9.10
Development

No branches or pull requests
2 participants
@cowtowncoder @louro11