Update dependency com.google.code.gson:gson to v2.8.9 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
com.google.code.gson:gson	2.8.7 → 2.8.9

---

Deserialization of Untrusted Data in Gson

CVE-2022-25647 / GHSA-4jrv-ppp4-jm57

More information

Details

The package com.google.code.gson:gson before 2.8.9 is vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to denial of service attacks.

Severity

• CVSS Score: 7.7 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2022-25647
• https://github.com/google/gson/pull/1991
• https://github.com/google/gson/pull/1991/commits
• https://snyk.io/vuln/SNYK-JAVA-COMGOOGLECODEGSON-1730327
• https://lists.debian.org/debian-lts-announce/2022/05/msg00015.html
• https://www.oracle.com/security-alerts/cpujul2022.html
• https://lists.debian.org/debian-lts-announce/2022/09/msg00009.html
• https://security.netapp.com/advisory/ntap-20220901-0009/
• https://www.debian.org/security/2022/dsa-5227
• https://github.com/advisories/GHSA-4jrv-ppp4-jm57

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

google/gson (com.google.code.gson:gson)

v2.8.9

• Make OSGi bundle's dependency on sun.misc optional (#​1993).
• Deprecate Gson.excluder() exposing internal Excluder class (#​1986).
• Prevent Java deserialization of internal classes (#​1991).
• Improve number strategy implementation (#​1987).
• Fix LongSerializationPolicy null handling being inconsistent with Gson (#​1990).
• Support arbitrary Number implementation for Object and Number deserialization (#​1290).
• Bump proguard-maven-plugin from 2.4.0 to 2.5.1 (#​1980).
• Don't exclude static local classes (#​1969).
• Fix RuntimeTypeAdapterFactory depending on internal Streams class (#​1959).
• Improve Maven build (#​1964).
• Make dependency on java.sql optional (#​1707).

v2.8.8

• Fixed issue with recursive types (#​1390).
• Better behaviour with Java 9+ and Unsafe if there is a security manager (#​1712).
• EnumTypeAdapter now works better when ProGuard has obfuscated enum fields (#​1495).

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.