From 5a742d9e9dce7c3da9ba193d61f0505e7cc57ec5 Mon Sep 17 00:00:00 2001
From: "Thomas Nelson (arthurdent3)" <nelson24@att.com>
Date: Tue, 17 Sep 2019 09:49:58 -0400
Subject: [PATCH] Jackson Faster-xml vulnerability.

CVE-2019-14439 Information Disclosure Vulnerability

FasterXML Jackson-databind is prone to an information-disclosure
vulnerability that occurs due to a polymorphic typing issue.
Specifically, this issue occurs when an externally exposed JSON endpoint
has default typing enabled and has logback jar in the classpath.

An attacker can exploit this issue to obtain sensitive information that
may aid in further attacks.

Issue-ID: MUSIC-504
Signed-off-by: Thomas Nelson (arthurdent3) <nelson24@att.com>
Signed-off-by: Thomas Nelson (arthurdent3) <nelson24@att.com>
Change-Id: I2c31986ff2d792d482f84406e96c47dbf652f32f
---
 pom.xml            | 18 +++++++++---------
 version.properties |  2 +-
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/pom.xml b/pom.xml
index f8ab95a2..11b999ad 100755
--- a/pom.xml
+++ b/pom.xml
@@ -27,7 +27,7 @@
     <groupId>org.onap.music</groupId>
     <artifactId>MUSIC</artifactId>
     <packaging>jar</packaging>
-    <version>3.2.35-SNAPSHOT</version>
+    <version>3.2.36-SNAPSHOT</version>
     <description>
             This is the MUSIC REST interface, packaged as a Springboot jar file.
     </description>
@@ -37,7 +37,7 @@
         <artifactId>oparent</artifactId>
         <version>2.0.0</version>
         <relativePath/>
-    </parent> 
+    </parent>
 
     <dependencyManagement>
         <dependencies>
@@ -338,7 +338,7 @@
             <groupId>com.datastax.cassandra</groupId>
             <artifactId>cassandra-driver-core</artifactId>
             <version>${cassandra.version}</version>
-        </dependency> 
+        </dependency>
         <!-- /Cassandra -->
         <!-- Jersey -->
         <dependency>
@@ -436,22 +436,22 @@
         <dependency>
             <groupId>com.fasterxml.jackson.datatype</groupId>
             <artifactId>jackson-datatype-jsr310</artifactId>
-            <version>2.9.8</version>
+            <version>2.9.9</version>
         </dependency>
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-databind</artifactId>
-            <version>2.9.8</version>
+            <version>2.9.9.2</version>
         </dependency>
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-core</artifactId>
-            <version>2.9.8</version>
+            <version>2.9.9</version>
         </dependency>
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-annotations</artifactId>
-            <version>2.9.8</version>
+            <version>2.9.9</version>
         </dependency>
         <dependency>
             <groupId>org.apache.httpcomponents</groupId>
@@ -654,8 +654,8 @@
                 </plugins>
             </build>
         </profile>
-        <profile> 
-            <id>default</id> 
+        <profile>
+            <id>default</id>
         </profile>
     </profiles>
     <distributionManagement>
diff --git a/version.properties b/version.properties
index c9da85ed..a7893b25 100755
--- a/version.properties
+++ b/version.properties
@@ -4,7 +4,7 @@
 
 major=3
 minor=2
-patch=35
+patch=36
 
 base_version=${major}.${minor}.${patch}
 
-- 
2.16.6