Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update Jackson to 2.9.10 when available and remove exclusions for CVE-2019-14540 #298

Closed
ryber opened this issue Sep 21, 2019 · 1 comment
Closed

Update Jackson to 2.9.10 when available and remove exclusions for CVE-2019-14540 #298

ryber opened this issue Sep 21, 2019 · 1 comment
Labels
CVE

Comments

@ryber
Copy link
Collaborator

ryber commented Sep 21, 2019

Note that Jackson is only a test dependency of core Uniest-Java. It is a full dependency of the object-mapper-jackson plugin.

Also in neither case do we enable default typing (see https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062)

This issue is a reminder the patches should be available in two weeks FasterXML/jackson-databind#2410
@ryber ryber added the CVE label Sep 22, 2019
@ryber
Copy link
Collaborator Author

ryber commented Sep 27, 2019

Fixed in both the 3 line: 32fee44
and 2 line: cb6bdd9

@ryber ryber closed this as completed Sep 27, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CVE
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ryber