_______________________________________________Hi All
I am yet to get any feedback on my query. So I thought I will reach out again to see if any one has comment on this -
Background:
I see the commit for CVE-2020-36518 to vdsm-json-rpc to bump jackson version to 2.12.7
https://github.com/oVirt/vdsm-jsonrpc-java/commit/d1f423809fd491da7b5324b308dac896ded645a7
This change in only made in pom.xml is made with "default" scope (i.e compile).
Queries:
#1. So at runtime, that means this jar should be explicitly packaged somewhere else. I am wondering how is this newer jackson jar is picked up? Does it have anything to do with the change outside pom.xml that I don't see?
#2. Ideally, I would like to verify that vdsm-jsonrpc-java application is using jackson-core2.12.7 and jackson-databaind 2.12.7-1 when installed on engine system. What is the best way to do it?
Thanks
From: Shubha Kulkarni
Sent: Thursday, September 7, 2023 1:47 PM
To: devel@ovirt.org
Subject: Jackson-databind related changes
Hello!
There have been changes added to ovirt-engine and vdsm-jsonrpc-java repos to address security vulnerabilities in jackson-databind package. I see that the change is made to bump up version of jackson-databind package to 2.12.7.1.
I am wondering what is the rpm version for ovirt-engine and vdsm-jsonrpc-java that has these fixes? Also, I am curious what is the best way to validate these changes?
Thanks,
Shubha
Devel mailing list -- devel@ovirt.org
To unsubscribe send an email to devel-leave@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/
List Archives: https://lists.ovirt.org/archives/list/devel@ovirt.org/message/UDIWOPJMWDCRB53I7P7H2YA7MUEY3QMX/