Upgrade JDBC driver to Jackson 2.15.0 due to 2.14.x being vulnerable to Denial of Service #91
Comments
dqmdev
changed the title
|
Thanks for opening this issue, @dqmdev. As the release for JDBC Driver version 2.1.0.16 is already under way, we plan to include this Jackson upgrade in our 2.1.0.17 release. |
|
What is the projected timeline for 2.1.0.17? July? Aug? |
|
We're targeting end-of-June/ early July. |
|
@bhvkshah can you deliver the fix before July 14th |
|
@dqmdev yes, release is underway for July first week. |
|
@dqmdev version 2.1.0.17 has been released, which contains the fix to update jackson dependencies. Thank you for bringing this issue to our attention as always! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Current driver build uses Jackson 2.14.2.
Please review and rebuild with Jackson 2.15.0. and update public page at
https://docs.aws.amazon.com/redshift/latest/mgmt/jdbc20-download-driver.html
com.fasterxml.jackson.core_jackson-core package versions before 2.15.0 are vulnerable to Denial of Service (DoS). The package does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended and leads to Uncontrolled Resource Consumption ('Resource Exhaustion')
Fixed in Jackson 2.15 released April 23, 2023
FasterXML/jackson-core#315
FasterXML/jackson-core#322
FasterXML/jackson-core#827
The text was updated successfully, but these errors were encountered: