GHSA-72hv-8253-57qq: bump jackson-databind to 2.21.1

[morph027]

trivy scan result:

Total: 1 (MEDIUM: 0, HIGH: 1, CRITICAL: 0)
┌─────────────────────────────────────────┬─────────────────────┬──────────┬────────┬───────────────────┬───────────────────────┬────────────────────────────────────────────────────────┐
│                 Library                 │    Vulnerability    │ Severity │ Status │ Installed Version │     Fixed Version     │                         Title                          │
├─────────────────────────────────────────┼─────────────────────┼──────────┼────────┼───────────────────┼───────────────────────┼────────────────────────────────────────────────────────┤
│ com.fasterxml.jackson.core:jackson-core │ GHSA-72hv-8253-57qq │ HIGH     │ fixed  │ 2.20.2            │ 2.18.6, 2.21.1, 3.1.0 │ jackson-core: Number Length Constraint Bypass in Async │
│ (jackson-core-2.20.2.jar)               │                     │          │        │                   │                       │ Parser Leads to Potential DoS...                       │
│                                         │                     │          │        │                   │                       │ https://github.com/advisories/GHSA-72hv-8253-57qq      │
└─────────────────────────────────────────┴─────────────────────┴──────────┴────────┴───────────────────┴───────────────────────┴────────────────────────────────────────────────────────┘

[AsamK]

Did you test if everything works correctly with the update? Last time I tried it, I had to downgrade due to Conflicting property-based creators: already had explicit creator errors in libsignal-service.
4b8dec2

[morph027]

Ah, good to know. I'm about to package a test release today.

[morph027]

Build output shows updated version:

> Task :nativeCompile
[native-image-plugin] GraalVM Toolchain detection is enabled
[native-image-plugin] GraalVM uses toolchain detection. Selected:
[native-image-plugin]    - language version: 25
[native-image-plugin]    - vendor: GraalVM Community
[native-image-plugin]    - runtime version: 25.0.2+10-jvmci-b01
[native-image-plugin] Native Image executable path: /tmp/graalvm-community-openjdk-25.0.2+10.1/lib/svm/bin/native-image
Warning: Using a deprecated option --report-unsupported-elements-at-runtime from 'META-INF/native-image/okhttp/okhttp/native-image.properties' in 'file:///root/.gradle/caches/modules-2/files-2.1/com.squareup.okhttp
3/okhttp-jvm/5.3.2/f31e8de27feebe1e56d6c9d354a0986b65be0e1d/okhttp-jvm-5.3.2.jar'. The option is deprecated and will be removed in the future. The use of unsupported elements is always reported at run time.
========================================================================================================================
GraalVM Native Image: Generating 'signal-cli' (executable)...
========================================================================================================================
For detailed information and explanations on the build output, visit:
https://github.com/oracle/graal/blob/master/docs/reference-manual/native-image/BuildOutput.md
------------------------------------------------------------------------------------------------------------------------
[1/8] Initializing...                                                                                    (6.1s @ 0.20GB)
 Java version: 25.0.2+10, vendor version: GraalVM CE 25.0.2+10.1
 Graal compiler: optimization level: 2, target machine: compatibility
 C compiler: gcc (linux, x86_64, 10.5.0)
 Garbage collector: Serial GC (max heap size: 80% of RAM)
 3 user-specific feature(s):
 - com.oracle.svm.thirdparty.gson.GsonFeature
 - okhttp3.internal.graal.OkHttpFeature
 - org.sqlite.nativeimage.SqliteJdbcFeature
------------------------------------------------------------------------------------------------------------------------
Build resources:
 - 25.06GB of memory (75.6% of system memory, in container)
 - 4 thread(s) (100.0% of 4 available processor(s), determined at start)
[2/8] Performing analysis...  [*****]                                                                   (55.7s @ 2.52GB)
   20,121 types,  31,291 fields, and  96,282 methods found reachable
    6,514 types,   2,984 fields, and  10,357 methods registered for reflection
      141 types,      97 fields, and     389 methods registered for JNI access
        0 downcalls and 0 upcalls registered for foreign access
        4 native libraries: dl, pthread, rt, z
[3/8] Building universe...                                                                               (8.1s @ 2.82GB)
[4/8] Parsing methods...      [***]                                                                      (5.1s @ 2.99GB)
[5/8] Inlining methods...     [***]                                                                      (3.5s @ 3.21GB)
[6/8] Compiling methods...    [*******]                                                                 (55.1s @ 2.38GB)
[7/8] Laying out methods...   [***]                                                                      (7.7s @ 3.14GB)
[8/8] Creating image...       [***]                                                                      (6.3s @ 3.68GB)
  48.10MB (14.26%) for code area:    61,820 compilation units
 283.51MB (84.05%) for image heap:  439,785 objects and 440 resources
   5.69MB ( 1.69%) for other data
 337.30MB in total image size, 331.95MB in total file size
------------------------------------------------------------------------------------------------------------------------
Top 10 origins of code area:                                Top 10 object types in image heap:
  13.14MB java.base                                          235.88MB byte[] for general heap data
   5.37MB bcprov-jdk18on-1.83.jar                             12.75MB byte[] for code metadata
   4.98MB signal-service-java-2.15.3_unofficial_140.jar        7.96MB byte[] for java.lang.String
   4.34MB kotlin-reflect-2.1.21.jar                            4.62MB char[]
   3.57MB java.xml                                             4.26MB java.lang.String
   2.14MB libsignal-cli-0.14.0+morph027+5.jar                  4.02MB com.oracle.svm.core.hub.DynamicHubCompanion
   1.86MB svm.jar (Native Image)                               3.01MB java.lang.Class
   1.74MB jackson-databind-2.21.1.jar                          1.45MB byte[] for reflection metadata
   1.49MB signal-cli-0.14.0+morph027+5.jar                     1.02MB heap alignment
 868.76kB logback-core-1.5.32.jar                            843.75kB java.lang.String[]
   7.66MB for 51 more packages                                 7.70MB for 4150 more object types
------------------------------------------------------------------------------------------------------------------------
Recommendations:
 FUTR: Use '--future-defaults=all' to prepare for future releases.
 HEAP: Set max heap for improved and more predictable memory usage.
------------------------------------------------------------------------------------------------------------------------
                       13.2s (8.6% of total time) in 1579 GCs | Peak RSS: 5.01GB | CPU load: 3.14
------------------------------------------------------------------------------------------------------------------------
Build artifacts:
 /tmp/signal-cli/build/native/nativeCompile/signal-cli (executable)
========================================================================================================================
Finished generating 'signal-cli' in 2m 31s.
[native-image-plugin] Native Image written to: /tmp/signal-cli/build/native/nativeCompile

BUILD SUCCESSFUL in 4m 16s

Going to install it now.

[morph027]

Daemon has started and is sending and receiving messages.

[morph027]

Looks good so far. Anything special to test?

[AsamK]

The updateAccount command does not work for me after the update (jvm version, signal-cli -a +XXXX updateAccount:

UpdateAccount error: Conflicting property-based creators: already had explicit creator [constructor for `org.whispersystems.signalservice.internal.push.WhoAmIResponse$Entitlements` (0 args), annotations: {interface com.fasterxml.jackson.annotation.JsonCreator=@com.fasterxml.jackson.annotation.JsonCreator(mode=DEFAULT)}, encountered another: [constructor for `org.whispersystems.signalservice.internal.push.WhoAmIResponse$Entitlements` (2 args), annotations: {interface com.fasterxml.jackson.annotation.JsonCreator=@com.fasterxml.jackson.annotation.JsonCreator(mode=DEFAULT)}
 at [Source: REDACTED (`StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION` disabled); line: 1, column: 1]

[morph027]

signal-cli@signal-gateway:~$ signal-cli -c /var/lib/signal-cli/ -a "..." updateAccount --username ...
Your new username: ... (...)

Looks good.