[GHSA-gx6w-fqg7-mc3p] An issue was discovered jackson-databind thru 2.15.2... #2945
Conversation
github-actions
bot
changed the base branch from
main
to
pjfanning/advisory-improvement-2945
|
👋 Hi @pjfanning, we haven't reviewed and issued alerts for this advisory because the CVE is disputed. We can't add the fixed version without reviewing the advisory and generating Dependabot alerts. Are you (and the other maintainers of jackson-databind?) OK with users receiving Dependabot alerts about CVE-2023-35116? |
|
Ideally, this should be closed - better still deleted. If you don't delete it then it is useful to at least have the 2.16.0 version number highlighted so that people at least know that even the non-issue is no longer a non-issue after 2.16.0. |
|
@pjfanning Before taking action, I want to lay out what happens with both options to make sure we're making the decision that's best for jackson-databind maintainers and users. The advisory is currently unreviewed, meaning that Dependabot security alerts are not being sent to encourage users to upgrade to the latest version because of a vulnerability. If users have Dependabot version updates enabled, they are currently receiving pull requests to update since a newer version exists (example). If the goal is to encourage end users to upgrade to the latest version because it exists, but isn't a security fix related release, then this is likely covered by Dependabot version updates. Our current opinion is not to review the advisory and publish it in the database if it is not a valid security vulnerability. If we review the advisory, users will get a Dependabot alert that notes the existence of a vulnerability, which encourages more urgent upgrading. Based on comments I've seen in this issue, it looks like there are users who agree that this isn't a legitimate issue, and there's a good chance they won't be happy with an advisory telling them to upgrade urgently because of a vulnerability whose existence cannot be independently verified. A reviewed advisory description could say that the vulnerability is not a serious issue, but an upgrade is available out of an abundance of caution. However, I'm reluctant to send security alerts for an issue that's not a real vulnerability to thousands of issues, possibly lessening user trust on the process. |
|
The thing is if you type CVE-2023-35116 into a GitHub comment or description is that GitHub turns that into a link for this page. So not including info that the stackoverflow is fixed in jackson-core 2.16.0 is a problem. Is there any way that the GHSA-gx6w-fqg7-mc3p links could be removed? |
Updates
Comments
Fix is in jackson-core 2.16.0 release out today. Stack overflow is protected against. We still contend that this issue is not CVE worthy. You can only get it by writing your own bad code.