KAFKA-13775: CVE-2020-36518 - Upgrade jackson-databind to 2.12.6.1

[edwin092]

CVE-2020-36518 vulnerability affects jackson-databind (see GHSA-57j2-w4cx-62h2).

Upgrading to jackson-databind version 2.12.6.1 addresses this CVE.

Committer Checklist (excluded from commit message)

• Verify design and implementation
• Verify test coverage and CI build status
• Verify documentation (including upgrade notes)

[showuon]

LGTM! Thanks for the PR. @cadonna , I think this fix should backport to 3.2. WDYT?

[cadonna]

@showuon I agree.

@edwin092 Could you also modify the LICENSE-binary file with the new version. It would be really helpful, if you could also update the other jackson versions there.

[edwin092]

@showuon I agree.

@edwin092 Could you also modify the LICENSE-binary file with the new version. It would be really helpful, if you could also update the other jackson versions there.

Sure! Done!

[cadonna]

@edwin092 Thanks!
You do justice to your profile picture! 🙂

[cadonna]

LGTM!

[cadonna]

Once the builds are good, I will merge the PR to trunk and cherry-pick it to 3.2.

[cadonna]

@tombentley Do you want to consider this PR for 3.1?

[cadonna]

Failures are unrelated

Build / JDK 8 and Scala 2.12 / kafka.network.DynamicConnectionQuotaTest.testDynamicListenerConnectionCreationRateQuota()
Build / JDK 11 and Scala 2.13 / kafka.server.KRaftClusterTest.testCreateClusterAndPerformReassignment()

[cadonna]

Cherry-picked to 3.2

[cadonna]

Cherry-picked to 3.1 \cc @tombentley

[cadonna]

Thank you @edwin092 !

[efeg]

@tombentley @cadonna Based on https://cwiki.apache.org/confluence/display/KAFKA/Release+Plan+3.1.1 the release date is March or April. Are there any updates on when we can expect the release of 3.1.1 with this vulnerability fix?