Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump jackson-core and jackson-databind from 2.13.2 to 2.14.1 #2337

Merged
merged 2 commits into from
Dec 6, 2022
Merged

Bump jackson-core and jackson-databind from 2.13.2 to 2.14.1 #2337

merged 2 commits into from
Dec 6, 2022

Conversation

MelaineGerard
Copy link
Contributor

@MelaineGerard MelaineGerard commented Nov 23, 2022

Pull Request Etiquette

Changes

  • Internal code
  • Library interface (affecting end-user code)
  • Documentation
  • Other: Dependencies Update

Closes Issue: NaN

Description

CVE-2022-42003 7.5 Deserialization of Untrusted Data vulnerability pending CVSS allocation
CVE-2022-42004 7.5 Deserialization of Untrusted Data vulnerability pending CVSS allocation

@MinnDevelopment
Copy link
Member

Neither of these vulnerabilities affect JDA, since it only deserializes trusted data.

@JellyBrick
Copy link

JellyBrick commented Dec 1, 2022

FasterXML/jackson-databind#3665 issue was fixed in >=2.14.1, so it would be great to bump the version to 2.14.1.

build.gradle.kts Outdated Show resolved Hide resolved
@MinnDevelopment
Copy link
Member

Could you also please update the versions in the README?

@MelaineGerard MelaineGerard changed the title Bump jackson-core and jackson-databind from 2.13.2 to 2.14.0 Bump jackson-core and jackson-databind from 2.13.2 to 2.14.1 Dec 3, 2022
@MinnDevelopment MinnDevelopment merged commit 00f4226 into discord-jda:master Dec 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants