CVE-2022-42004 - Update jackson version #588
Assignees
Comments
stummb
added a commit
to stummb/sdk-java
that referenced
this issue
Sep 18, 2023
stummb
added a commit
to stummb/sdk-java
that referenced
this issue
Sep 18, 2023
Signed-off-by: Boris Stumm <bs@boris-stumm.de>
pierDipi
pushed a commit
that referenced
this issue
Oct 2, 2023
Signed-off-by: Boris Stumm <bs@boris-stumm.de>
|
PR merged eaef3be |
|
@pierDipi has a new release been made with this patch? |
|
I don't think so, this requires a major release and we're batching changes for a 3.0, however, users can change dependencies versions in their own projects |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
cloudevents-jackson-json still uses jackson 2.13.3, which is vulnerable: https://nvd.nist.gov/vuln/detail/CVE-2022-42004
I can prepare an PR. Which version would be appropriate? Current versions are 2.13.5, 2.14.3, 2.15.2.
#575 and #577 bumped jackson-dataformat-yaml to 2.15.2 in cloudevents-sql, I guess that is the most reasonable choice.
The text was updated successfully, but these errors were encountered: