Block two more gadgets to exploit default typing issue (c3p0, CVE-2018-7489)

[cowtowncoder]

From an email report there are 2 other c3p0 classes (above and beyond ones listed in #1737) need to be blocked.

EDIT 21-Jun-2021: Fix included in:

• 2.9.5
• 2.8.11.1
• 2.7.9.3
• 2.6.7.5

[cowtowncoder]

Fixed in 2.8.11.1 (newly released) and 2.9.5 (when it is released)

[philippn]

Hi there!
How comes that there is no atifact in http://repo1.maven.org/maven2/com/fasterxml/jackson/jackson-bom/ that is matching release 2.8.11.1?

This is preventing me from upgrading to 2.8.11.1 because that artifact would be required by Spring boots dependency management.

Thanks in advance!

[cowtowncoder]

@philippn Because beyond 2.8.11.1 there is no full release, and it is not really practical to create one-off bom sets: there may or may not be micro-patches for various components.

What you need to do is to either use 2.8.11 bom and overrides (re-define one of version properties) or add explicit direct dependency. Alternatively you could probably build a separate bom of your own, one that extends jackson-bom-2.8.11.

[philippn]

Thanks for the clarification!

[cowtowncoder]

@philippn np. And apologies for the mess. I understand it is not ideal, and I am hoping we can figure out a more maintainable system for CVE updates.

[cowtowncoder]

For further info: https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062