Skip to content

Commit 5e59836

Browse files
author
Dwayne Bailey
committed
Bump springboot from 1.15.14 to 1.15.19
This indirectly upgrades jackson-databind to 2.8.11.3 which resolves the selected version for a number of dependencies. Although reporting an error this release fixes: CVE-2018-14718: RCE with slf4j-ext jar CVE-2018-14719: RCE with blaze-ds-opt, -core jars CVE-2018-14720: exfiltration/XXE with only JDK classes (some JDK versions) CVE-2018-14721: exfiltration/SSRF with axis2-jaxws Ref FasterXML/jackson-databind#2097 CVE-2018-19360 (axis2-transport-jms) CVE-2018-19361 (openjpa) CVE-2018-19362 (jboss-common-core) Ref FasterXML/jackson-databind#2186 See FasterXML/jackson-databind#2097 (comment) https://github.com/FasterXML/jackson-databind/blob/2.8/release-notes/VERSION#L8-L15 RDM-3796
1 parent f145d1a commit 5e59836

File tree

2 files changed

+29
-8
lines changed

2 files changed

+29
-8
lines changed

build.gradle

+1-1
Original file line numberDiff line numberDiff line change
@@ -10,7 +10,7 @@ buildscript {
1010
plugins {
1111
id 'application'
1212
id 'io.spring.dependency-management' version '1.0.6.RELEASE'
13-
id 'org.springframework.boot' version '1.5.14.RELEASE'
13+
id 'org.springframework.boot' version '1.5.19.RELEASE'
1414
id 'org.owasp.dependencycheck' version '3.3.2'
1515
id 'se.patrikerdes.use-latest-versions' version '0.2.3'
1616
id 'com.github.ben-manes.versions' version '0.20.0'

dependency-check-suppressions.xml

+28-7
Original file line numberDiff line numberDiff line change
@@ -87,31 +87,52 @@
8787
<cve>CVE-2018-1000873</cve>
8888
</suppress>
8989
<suppress>
90-
<notes>Temporary suppression</notes>
90+
<notes>jackson-databind 2.8.11.3 fixes this CVE. See
91+
https://github.com/FasterXML/jackson-databind/issues/2097#issuecomment-457071680
92+
and RDM-3796</notes>
93+
<gav regex="true">^com\.fasterxml\.jackson\.core:jackson-databind:2\.8\.11\.[3].*$</gav>
9194
<cve>CVE-2018-14718</cve>
9295
</suppress>
9396
<suppress>
94-
<notes>Temporary suppression</notes>
97+
<notes>jackson-databind 2.8.11.3 fixes this CVE. See
98+
https://github.com/FasterXML/jackson-databind/issues/2097#issuecomment-457071680
99+
and RDM-3796</notes>
100+
<gav regex="true">^com\.fasterxml\.jackson\.core:jackson-databind:2\.8\.11\.[3].*$</gav>
95101
<cve>CVE-2018-14719</cve>
96102
</suppress>
97103
<suppress>
98-
<notes>Temporary suppression</notes>
104+
<notes>jackson-databind 2.8.11.3 fixes this CVE. See
105+
https://github.com/FasterXML/jackson-databind/issues/2097#issuecomment-457071680
106+
and RDM-3796</notes>
107+
<gav regex="true">^com\.fasterxml\.jackson\.core:jackson-databind:2\.8\.11\.[3].*$</gav>
99108
<cve>CVE-2018-14720</cve>
100109
</suppress>
101110
<suppress>
102-
<notes>Temporary suppression</notes>
111+
<notes>jackson-databind 2.8.11.3 fixes this CVE. See
112+
https://github.com/FasterXML/jackson-databind/issues/2097#issuecomment-457071680
113+
and RDM-3796</notes>
114+
<gav regex="true">^com\.fasterxml\.jackson\.core:jackson-databind:2\.8\.11\.[3].*$</gav>
103115
<cve>CVE-2018-14721</cve>
104116
</suppress>
105117
<suppress>
106-
<notes>Temporary suppression</notes>
118+
<notes>jackson-databind 2.8.11.3 fixes this CVE. See
119+
https://github.com/FasterXML/jackson-databind/issues/2097#issuecomment-457071680
120+
and RDM-3796</notes>
121+
<gav regex="true">^com\.fasterxml\.jackson\.core:jackson-databind:2\.8\.11\.[3].*$</gav>
107122
<cve>CVE-2018-19360</cve>
108123
</suppress>
109124
<suppress>
110-
<notes>Temporary suppression</notes>
125+
<notes>jackson-databind 2.8.11.3 fixes this CVE. See
126+
https://github.com/FasterXML/jackson-databind/issues/2097#issuecomment-457071680
127+
and RDM-3796</notes>
128+
<gav regex="true">^com\.fasterxml\.jackson\.core:jackson-databind:2\.8\.11\.[3].*$</gav>
111129
<cve>CVE-2018-19361</cve>
112130
</suppress>
113131
<suppress>
114-
<notes>Temporary suppression</notes>
132+
<notes>jackson-databind 2.8.11.3 fixes this CVE. See
133+
https://github.com/FasterXML/jackson-databind/issues/2097#issuecomment-457071680
134+
and RDM-3796</notes>
135+
<gav regex="true">^com\.fasterxml\.jackson\.core:jackson-databind:2\.8\.11\.[3].*$</gav>
115136
<cve>CVE-2018-19362</cve>
116137
</suppress>
117138
<suppress>

0 commit comments

Comments
 (0)