Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump Jackson to v2.9.4 to resolve CVE-2017-15095 et al #67

Merged
merged 3 commits into from
Feb 19, 2018
Merged

Bump Jackson to v2.9.4 to resolve CVE-2017-15095 et al #67

merged 3 commits into from
Feb 19, 2018

Conversation

guyboertje
Copy link
Owner

Thanks to @alex-dr for #66

Deletes old versions of jackson from the repository so they don't get included in the final artifact or show up on security scans. I really am not very comfortable with how this repo checks in binaries; I grabbed these from mvnrepository.com, but the author or any other contributor could have injected their own binaries with any malicious code they want and 99.999% of consumers (read; everyone running Logstash) would never know. For context on upstream fix, see: https://bugzilla.redhat.com/show_bug.cgi?id=1506612 CVE-2017-17485: FasterXML/jackson-databind#1855 CVE-2018-5968: FasterXML/jackson-databind#1899
--

The binaries and package only files are now not committed to the repo.
They will be packaged into the gem and pushed to rubygems by the author.

@guyboertje guyboertje requested review from colinsurprenant and removed request for colinsurprenant February 16, 2018 18:14
@alex-dr
Copy link

alex-dr commented Feb 16, 2018

Awesome, thanks for this.

One more request if you wouldn't mind; it appeared that both the 2.7 and 2.9 jar's were present in my logstash, even though 2.9 was the only one used. Would you be able to git rm all jar files from this repo as well, so that we don't accidentally bundle old artifacts?

colinsurprenant
colinsurprenant reviewed Feb 16, 2018
View reviewed changes
.gitignore
lib/jrjackson_jars.rb
lib/com/fasterxml/jackson/
lib/jrjackson/jars/jrjackson-*.jar
pom.xml
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

are you sure you want that in the .gitignore?

Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah I think so. They are only needed during the package phase. AFACT they don't need to be in Github. No?

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@guyboertje
Copy link
Owner Author

@alex-dr

Would you be able to git rm all jar files from this repo as well, so that we don't accidentally bundle old artifacts?

I think I have covered that this time. The previous mechanism of gem files was git ls-files meaning that any old file not ignored by git would be included in the gem. Now, I have made it very specific about exactly which files are to be packaged into the gem and they are predicated on the version in build_info. In future a contributor only needs to alter build_info and CHANGELOG in a PR.

From now on, the packaged gem published to rubygems should not have undesirable jars in it.

@alex-dr
Copy link

alex-dr commented Feb 18, 2018

Awesome, thank you.

@colinsurprenant
Copy link
Collaborator

LGTM

@guyboertje guyboertje merged commit 7774dfa into master Feb 19, 2018
@guyboertje guyboertje deleted the fix/jackson-2-9-4 branch February 19, 2018 17:22
@alex-dr alex-dr mentioned this pull request Feb 19, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@colinsurprenant colinsurprenant colinsurprenant left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@guyboertje @alex-dr @colinsurprenant