Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Java] Fix security alerts due to com.fasterxml.jackson.core:jackson-databind #4344

Merged
merged 1 commit into from
Nov 1, 2019
Merged

[Java] Fix security alerts due to com.fasterxml.jackson.core:jackson-databind #4344

merged 1 commit into from
Nov 1, 2019

Conversation

wing328
Copy link
Member

@wing328 wing328 commented Nov 1, 2019
edited
Loading

  • Fix security alerts due to com.fasterxml.jackson.core:jackson-databind
CVE-2019-16942 More information
moderate severity
Vulnerable versions: < 2.9.10.1
Patched version: 2.9.10.1
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.

PR checklist

  • Read the contribution guidelines.
  • If contributing template-only or documentation-only changes which will change sample output, build the project before.
  • Run the shell script(s) under ./bin/ (or Windows batch scripts under.\bin\windows) to update Petstore samples related to your fix. This is important, as CI jobs will verify all generator outputs of your HEAD commit, and these must match the expectations made by your contribution. You only need to run ./bin/{LANG}-petstore.sh, ./bin/openapi3/{LANG}-petstore.sh if updating the code or mustache templates for a language ({LANG}) (e.g. php, ruby, python, etc).
  • File the PR against the correct branch: master, 4.1.x, 5.0.x. Default: master.
  • Copy the technical committee to review the pull request if your PR is targeting a particular programming language.

cc @bbdouglas (2017/07) @sreeshas (2017/08) @jfiala (2017/08) @lukoyanov (2017/09) @cbornet (2017/09) @jeff9finger (2018/01) @karismann (2019/03) @Zomzog (2019/04) @lwlee2608 (2019/10)

@wing328 wing328 added this to the 4.2.1 milestone Nov 1, 2019
@wing328 wing328 merged commit 931908c into master Nov 1, 2019
@wing328 wing328 deleted the fix_security branch November 1, 2019 03:17
jimschubert added a commit that referenced this pull request Nov 3, 2019
@jimschubert
Merge branch 'master' of github.com:OpenAPITools/openapi-generator
2a2c5c5 
* 'master' of github.com:OpenAPITools/openapi-generator: (88 commits)
  smaller tests, better code format (#4355)
  csharp-netcore: Replace null literals with default (#4345)
  [core] consider polymorphism when computing unused schemas (#4335)
  Fix issue 4326 forward throws for delegate to main method (#4327)
  [kotlin][client] annotate api exceptions (#4339)
  refactor java-vertx-web parameters and bugfix on non primitive parameter (#4353)
  Remove deprecated API use of ObjectFactory.property() (#2613) (#4352)
  [python][metadata]: Adding license and author fields (#4318)
  [Python] Avoid pep8 violation (#4316)
  [JS] Update package.json (#4261)
  Add slash-arun to Python technical committee (#4354)
  [typescript-fetch] Fix discriminator mapping name (#4340)
  fix security alerts reported by github (#4344)
  fix cpp-restbed-server json field serialization #4320 (#4323)
  typescript-angular: fix oneOf and anyOf generates incorrect model for primitive types (#4341)
  fix(typescript-angular): do not call .toISOString() on a string (#4330) (#4337)
  update samples (#4334)
  Prepare 4.2.0 release (#4333)
  [FEATURE][Haskell] Haskell-Servant serves static files (#4058)
  [FEATURE][Haskell] Add Middleware support for the haskell servant generator (#4056)
  ...
jimschubert added a commit that referenced this pull request Nov 3, 2019
@jimschubert
Merge branch 'master' into feature-sets-meta
381fe91 
* master: (142 commits)
  smaller tests, better code format (#4355)
  csharp-netcore: Replace null literals with default (#4345)
  [core] consider polymorphism when computing unused schemas (#4335)
  Fix issue 4326 forward throws for delegate to main method (#4327)
  [kotlin][client] annotate api exceptions (#4339)
  refactor java-vertx-web parameters and bugfix on non primitive parameter (#4353)
  Remove deprecated API use of ObjectFactory.property() (#2613) (#4352)
  [python][metadata]: Adding license and author fields (#4318)
  [Python] Avoid pep8 violation (#4316)
  [JS] Update package.json (#4261)
  Add slash-arun to Python technical committee (#4354)
  [typescript-fetch] Fix discriminator mapping name (#4340)
  fix security alerts reported by github (#4344)
  fix cpp-restbed-server json field serialization #4320 (#4323)
  typescript-angular: fix oneOf and anyOf generates incorrect model for primitive types (#4341)
  fix(typescript-angular): do not call .toISOString() on a string (#4330) (#4337)
  update samples (#4334)
  Prepare 4.2.0 release (#4333)
  [FEATURE][Haskell] Haskell-Servant serves static files (#4058)
  [FEATURE][Haskell] Add Middleware support for the haskell servant generator (#4056)
  ...
jimschubert added a commit to jimschubert/openapi-generator that referenced this pull request Nov 3, 2019
@jimschubert
Merge branch 'master' into meta-codegen-improvements
2c41f8c 
* master: (141 commits)
  smaller tests, better code format (OpenAPITools#4355)
  csharp-netcore: Replace null literals with default (OpenAPITools#4345)
  [core] consider polymorphism when computing unused schemas (OpenAPITools#4335)
  Fix issue 4326 forward throws for delegate to main method (OpenAPITools#4327)
  [kotlin][client] annotate api exceptions (OpenAPITools#4339)
  refactor java-vertx-web parameters and bugfix on non primitive parameter (OpenAPITools#4353)
  Remove deprecated API use of ObjectFactory.property() (OpenAPITools#2613) (OpenAPITools#4352)
  [python][metadata]: Adding license and author fields (OpenAPITools#4318)
  [Python] Avoid pep8 violation (OpenAPITools#4316)
  [JS] Update package.json (OpenAPITools#4261)
  Add slash-arun to Python technical committee (OpenAPITools#4354)
  [typescript-fetch] Fix discriminator mapping name (OpenAPITools#4340)
  fix security alerts reported by github (OpenAPITools#4344)
  fix cpp-restbed-server json field serialization OpenAPITools#4320 (OpenAPITools#4323)
  typescript-angular: fix oneOf and anyOf generates incorrect model for primitive types (OpenAPITools#4341)
  fix(typescript-angular): do not call .toISOString() on a string (OpenAPITools#4330) (OpenAPITools#4337)
  update samples (OpenAPITools#4334)
  Prepare 4.2.0 release (OpenAPITools#4333)
  [FEATURE][Haskell] Haskell-Servant serves static files (OpenAPITools#4058)
  [FEATURE][Haskell] Add Middleware support for the haskell servant generator (OpenAPITools#4056)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Client: Java Enhancement: Security
Projects
None yet
Milestone
4.2.1
Development

Successfully merging this pull request may close these issues.
1 participant
@wing328