From 85856bdc7381bf119e8a843e0c583b1deaa321c1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicol=C3=B2=20Boschi?= <boschi1997@gmail.com>
Date: Fri, 25 Mar 2022 11:26:11 +0100
Subject: [PATCH 1/2] [security] Upgrade jackson-databind to get rid of
 CVE-2020-36518

---
 bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt    | 2 +-
 bookkeeper-dist/src/main/resources/LICENSE-bkctl.bin.txt  | 2 +-
 bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt | 2 +-
 dependencies.gradle                                       | 3 ++-
 pom.xml                                                   | 7 +++++++
 5 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt b/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt
index 1a815b633f2..9380703d682 100644
--- a/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt
+++ b/bookkeeper-dist/src/main/resources/LICENSE-all.bin.txt
@@ -207,7 +207,7 @@ Apache Software License, Version 2.
 
 - lib/com.fasterxml.jackson.core-jackson-annotations-2.13.2.jar [1]
 - lib/com.fasterxml.jackson.core-jackson-core-2.13.2.jar [2]
-- lib/com.fasterxml.jackson.core-jackson-databind-2.13.2.jar [3]
+- lib/com.fasterxml.jackson.core-jackson-databind-2.13.2.1.jar [3]
 - lib/com.google.guava-guava-31.0.1-jre.jar [4]
 - lib/com.google.guava-failureaccess-1.0.1.jar [4]
 - lib/com.google.guava-listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar [4]
diff --git a/bookkeeper-dist/src/main/resources/LICENSE-bkctl.bin.txt b/bookkeeper-dist/src/main/resources/LICENSE-bkctl.bin.txt
index ba06c3b16aa..45e7c1a04cc 100644
--- a/bookkeeper-dist/src/main/resources/LICENSE-bkctl.bin.txt
+++ b/bookkeeper-dist/src/main/resources/LICENSE-bkctl.bin.txt
@@ -207,7 +207,7 @@ Apache Software License, Version 2.
 
 - lib/com.fasterxml.jackson.core-jackson-annotations-2.13.2.jar [1]
 - lib/com.fasterxml.jackson.core-jackson-core-2.13.2.jar [2]
-- lib/com.fasterxml.jackson.core-jackson-databind-2.13.2.jar [3]
+- lib/com.fasterxml.jackson.core-jackson-databind-2.13.2.1.jar [3]
 - lib/com.google.guava-guava-31.0.1-jre.jar [4]
 - lib/com.google.guava-failureaccess-1.0.1.jar [4]
 - lib/com.google.guava-listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar [4]
diff --git a/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt b/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt
index 34f8c788004..92a3a5c3cb6 100644
--- a/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt
+++ b/bookkeeper-dist/src/main/resources/LICENSE-server.bin.txt
@@ -207,7 +207,7 @@ Apache Software License, Version 2.
 
 - lib/com.fasterxml.jackson.core-jackson-annotations-2.13.2.jar [1]
 - lib/com.fasterxml.jackson.core-jackson-core-2.13.2.jar [2]
-- lib/com.fasterxml.jackson.core-jackson-databind-2.13.2.jar [3]
+- lib/com.fasterxml.jackson.core-jackson-databind-2.13.2.1.jar [3]
 - lib/com.google.guava-guava-31.0.1-jre.jar [4]
 - lib/com.google.guava-failureaccess-1.0.1.jar [4]
 - lib/com.google.guava-listenablefuture-9999.0-empty-to-avoid-conflict-with-guava.jar [4]
diff --git a/dependencies.gradle b/dependencies.gradle
index 8da660af028..03e60c4e272 100644
--- a/dependencies.gradle
+++ b/dependencies.gradle
@@ -50,6 +50,7 @@ depVersions = [
     hdrhistogram: "2.1.10",
     httpclient: "4.5.13",
     jackson: "2.13.2",
+    jacksonDatabind: "2.13.2.1",
     javaxServlet: "4.0.0",
     javaAnnotations:"1.3.2",
     jcommander: "1.78",
@@ -152,7 +153,7 @@ depLibs = [
     jacksonAnnotations: "com.fasterxml.jackson.core:jackson-annotations:${depVersions.jackson}",
     javaAnnotations: "javax.annotation:javax.annotation-api:${depVersions.javaAnnotations}",
     jacksonCore: "com.fasterxml.jackson.core:jackson-core:${depVersions.jackson}",
-    jacksonDatabind: "com.fasterxml.jackson.core:jackson-databind:${depVersions.jackson}",
+    jacksonDatabind: "com.fasterxml.jackson.core:jackson-databind:${depVersions.jacksonDatabind}",
     javaxServlet: "javax.servlet:javax.servlet-api:${depVersions.javaxServlet}",
     jcommander: "com.beust:jcommander:${depVersions.jcommander}",
     jctools: "org.jctools:jctools-core:${depVersions.jctools}",
diff --git a/pom.xml b/pom.xml
index 44710dd1bd4..86fed0e40b0 100644
--- a/pom.xml
+++ b/pom.xml
@@ -137,6 +137,7 @@
     <hamcrest.version>1.3</hamcrest.version>
     <hdrhistogram.version>2.1.10</hdrhistogram.version>
     <jackson.version>2.13.2</jackson.version>
+    <jackson-databind.version>2.13.2.1</jackson-databind.version>
     <jcommander.version>1.78</jcommander.version>
     <jetty.version>9.4.43.v20210629</jetty.version>
     <jmh.version>1.19</jmh.version>
@@ -349,6 +350,12 @@
         <type>pom</type>
         <scope>import</scope>
       </dependency>
+
+      <dependency>
+        <groupId>com.fasterxml.jackson.core</groupId>
+        <artifactId>jackson-databind</artifactId>
+        <version>${jackson-databind.version}</version>
+      </dependency>
       <dependency>
         <groupId>javax.servlet</groupId>
         <artifactId>javax.servlet-api</artifactId>

From 4a2ac2d37cc20ff41f43511ec042dfb37fdde1d5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicol=C3=B2=20Boschi?= <boschi1997@gmail.com>
Date: Fri, 25 Mar 2022 17:47:58 +0100
Subject: [PATCH 2/2] fix gradle

---
 build.gradle        | 1 +
 dependencies.gradle | 4 +++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/build.gradle b/build.gradle
index 86f1f39a245..e30c984281e 100644
--- a/build.gradle
+++ b/build.gradle
@@ -309,6 +309,7 @@ allprojects {
         dependencies {
             implementation(enforcedPlatform(depLibs.nettyBom))
             testImplementation depLibs.log4jSlf4jImpl
+            implementation(enforcedPlatform(depLibs.jacksonBom))
         }
 
         dependencies {
diff --git a/dependencies.gradle b/dependencies.gradle
index 03e60c4e272..4e4953c62ed 100644
--- a/dependencies.gradle
+++ b/dependencies.gradle
@@ -50,6 +50,7 @@ depVersions = [
     hdrhistogram: "2.1.10",
     httpclient: "4.5.13",
     jackson: "2.13.2",
+    jacksonBom: "2.13.2.20220324",
     jacksonDatabind: "2.13.2.1",
     javaxServlet: "4.0.0",
     javaAnnotations:"1.3.2",
@@ -152,8 +153,9 @@ depLibs = [
     },
     jacksonAnnotations: "com.fasterxml.jackson.core:jackson-annotations:${depVersions.jackson}",
     javaAnnotations: "javax.annotation:javax.annotation-api:${depVersions.javaAnnotations}",
+    jacksonBom: "com.fasterxml.jackson:jackson-bom:${depVersions.jacksonBom}",
     jacksonCore: "com.fasterxml.jackson.core:jackson-core:${depVersions.jackson}",
-    jacksonDatabind: "com.fasterxml.jackson.core:jackson-databind:${depVersions.jacksonDatabind}",
+    jacksonDatabind: "com.fasterxml.jackson.core:jackson-databind:${depVersions.jackson}",
     javaxServlet: "javax.servlet:javax.servlet-api:${depVersions.javaxServlet}",
     jcommander: "com.beust:jcommander:${depVersions.jcommander}",
     jctools: "org.jctools:jctools-core:${depVersions.jctools}",