Skip to content

deps: update dependency com.fasterxml.jackson.core:jackson-databind to v2.13.4.2 [security]#1710

Merged
gcf-merge-on-green[bot] merged 1 commit intogoogleapis:mainfrom
renovate-bot:renovate/maven-com.fasterxml.jackson.core-jackson-databind-vulnerability
Aug 20, 2024
Merged

deps: update dependency com.fasterxml.jackson.core:jackson-databind to v2.13.4.2 [security]#1710
gcf-merge-on-green[bot] merged 1 commit intogoogleapis:mainfrom
renovate-bot:renovate/maven-com.fasterxml.jackson.core-jackson-databind-vulnerability

Conversation

@renovate-bot
Copy link
Contributor

@renovate-bot renovate-bot commented Aug 20, 2024

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
com.fasterxml.jackson.core:jackson-databind (source) 2.13.4.1 -> 2.13.4.2 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-42003

In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.2, and 2.14.0.

Commits that introduced vulnerable code are
FasterXML/jackson-databind@d499f2e, FasterXML/jackson-databind@0e37a39, and FasterXML/jackson-databind@7ba9ac5.

Fix commits are FasterXML/jackson-databind@cd09097 and FasterXML/jackson-databind@d78d00e.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate-bot renovate-bot requested a review from a team August 20, 2024 12:51
@renovate-bot renovate-bot requested a review from a team as a code owner August 20, 2024 12:51
@dpebot
Copy link

dpebot commented Aug 20, 2024

/gcbrun

@trusted-contributions-gcf trusted-contributions-gcf bot added the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Aug 20, 2024
@product-auto-label product-auto-label bot added size: xs Pull request size is extra small. api: spanner Issues related to the googleapis/java-spanner-jdbc API. labels Aug 20, 2024
@yoshi-kokoro yoshi-kokoro removed the kokoro:force-run Add this label to force Kokoro to re-run the tests. label Aug 20, 2024
@olavloite olavloite added the automerge Merge the pull request once unit tests and other checks pass. label Aug 20, 2024
@gcf-merge-on-green gcf-merge-on-green bot merged commit eff5df2 into googleapis:main Aug 20, 2024
@gcf-merge-on-green gcf-merge-on-green bot removed the automerge Merge the pull request once unit tests and other checks pass. label Aug 20, 2024
@release-please release-please bot mentioned this pull request Aug 20, 2024
Merged
@renovate-bot renovate-bot deleted the renovate/maven-com.fasterxml.jackson.core-jackson-databind-vulnerability branch August 20, 2024 13:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@olavloite olavloite olavloite approved these changes

Assignees

No one assigned

Labels

api: spanner Issues related to the googleapis/java-spanner-jdbc API. size: xs Pull request size is extra small.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@renovate-bot @dpebot @olavloite @yoshi-kokoro