Thanks for the detailed reply. I will look into right way to update these dependencies. Thanks again, Shubha From: Martin Perina <mperina(a)redhat.com&gt; Sent: Friday, September 15, 2023 3:56 AM To: Shubha Kulkarni <shubha.kulkarni(a)oracle.com&gt; Cc: devel(a)ovirt.org Subject: [External] : Re: [ovirt-devel] Re: Jackson-databind related changes Hi, oVirt Engine is using JBoss Modules feature to load libraries, so when a library version is mentioned in pom.xml it's unrelated to which version is being using during runtime. Here's the detailed description: 1. jackson-databind 2.12.7 mentioned pom.xml is actually being used only when building the project directly with maven (development purposes) https://github.com/oVirt/vdsm-jsonrpc-java/blob/master/pom.xml.in#L61<... https://github.com/oVirt/vdsm-jsonrpc-java/blob/master/client/pom.xml.in&... 2. When building the project as a part of RPM build, then maven (respectively xmvn) is invoked to use only libraries installed locally as a part of RPM dependencies https://github.com/oVirt/vdsm-jsonrpc-java/blob/master/vdsm-jsonrpc-java.... So on CS8 we can easily find out the jackson-databind package version being used during RPM build # dnf repoquery --whatprovides 'jackson-databind >= 2.10.0' jackson-databind-0:2.10.0-1.module_el8.4.0+595+e59c9af2.noarch jackson-databind-0:2.10.0-1.module_el8.4.0+782+1d1c31a0.noarch 3. On runtime vdsm-jsonrpc-java is being loaded using JBoss Modules as a part of oVirt Engine: https://github.com/oVirt/ovirt-engine/blob/master/backend/manager/depende... which shows that vdsm-jsonrpc-java depends on com.fasterxml.jackson.core.jackson-databind module, which is included in the relevant WildFly release. Currently oVirt Engine is using WildFly 24.0.1, so you can see jackson-databind version using following command: # rpm -ql ovirt-engine-wildfly | grep 'jackson-databind-' /usr/share/ovirt-engine-wildfly/modules/system/layers/base/com/fasterxml/jackson/core/jackson-databind/main/jackson-databind-2.12.3.jar So if you want to bump jackson-databind version for oVirt Engine runtime you have two possibilities: 1. You can deliver updated JBoss module as a part of ovirt-engine-wildfly-overlay RPM: https://github.com/oVirt/ovirt-engine-wildfly/overlay<https://urldefen... 2. You can try to bump WildFly to latest version in ovirt-engine-wildfly RPM: https://github.com/oVirt/ovirt-engine-wildfly/<https://urldefense.com/... Please be awate that at the moment it's not possible to use latest WildFly version, because oVirt Engine is using classic security model, which was removed in favor of Elytron in WildFly 25. So to bump WildFly version, you would need to implement changes in oVirt Engine to use Elytron. Regarding verification the best way is to verify functionality by execution of oVirt System Tests: https://github.com/ovirt/ovirt-system-tests<https://urldefense.com/v3/... Regards, Martin On Thu, Sep 14, 2023 at 11:44 PM Shubha Kulkarni <shubha.kulkarni@oracle.com<mailto:shubha.kulkarni@oracle.com>> wrote: Hi All I am yet to get any feedback on my query. So I thought I will reach out again to see if any one has comment on this - Background: I see the commit for CVE-2020-36518 to vdsm-json-rpc to bump jackson version to 2.12.7 https://github.com/oVirt/vdsm-jsonrpc-java/commit/d1f423809fd491da7b5324b... This change in only made in pom.xml is made with "default" scope (i.e compile). Queries: #1. So at runtime, that means this jar should be explicitly packaged somewhere else. I am wondering how is this newer jackson jar is picked up? Does it have anything to do with the change outside pom.xml that I don't see? #2. Ideally, I would like to verify that vdsm-jsonrpc-java application is using jackson-core2.12.7 and jackson-databaind 2.12.7-1 when installed on engine system. What is the best way to do it? Thanks From: Shubha Kulkarni Sent: Thursday, September 7, 2023 1:47 PM To: devel@ovirt.org<mailto:devel@ovirt.org> Subject: Jackson-databind related changes Hello! There have been changes added to ovirt-engine and vdsm-jsonrpc-java repos to address security vulnerabilities in jackson-databind package. I see that the change is made to bump up version of jackson-databind package to 2.12.7.1. I am wondering what is the rpm version for ovirt-engine and vdsm-jsonrpc-java that has these fixes? Also, I am curious what is the best way to validate these changes? Thanks, Shubha _______________________________________________ Devel mailing list -- devel@ovirt.org<mailto:devel@ovirt.org> To unsubscribe send an email to devel-leave@ovirt.org<mailto:devel-leave@ovirt.org> Privacy Statement: https://www.ovirt.org/privacy-policy.html<https://urldefense.com/v3/__... oVirt Code of Conduct: https://www.ovirt.org/community/about/community-guidelines/<https://ur... List Archives: https://lists.ovirt.org/archives/list/devel@ovirt.org/message/UDIWOPJMWDC... -- Martin Perina Manager, Software Engineering Red Hat Czech s.r.o.