Upgrade to jackson-databind 2.9.10.1 to fix CVE #4790
Conversation
|
We need @cescoffier 's blessing for it as IIRC we were waiting for some Vert.x feedback. |
I think it's for 2.10 that we need Vert.x feedback. 2.9.10.1 is just a security update ... |
bom/runtime/pom.xml
Outdated
| <!-- Fix a databing version higher that the one from the BOM for CVE vulnerabilities: CVE-2019-16942, CVE-2019-16943, CVE-2019-17531 --> | ||
| <jackson-databind.version>2.9.10.1</jackson-databind.version> |
There was a problem hiding this comment.
Adding another property and dependency is not need, the BOM is used in Quarkus, so the BOM should be updated.
The Jackson BOM version corresponding to this fix is 2.9.10.20191020 so is enough to change
<jackson.version>2.9.10.20191020</jackson.version>There was a problem hiding this comment.
My bad, I search on maven if there was an updated BOM and missed that one.
PR updated
loicmathieu
force-pushed
the
fix/jackson-databind-cve
branch
from
da7ba39 to
6e1634a
Compare
Ah yes, sorry I missed that it was a 2.9. I will merge it right away. Thanks! |
This upgrade will fix these new CVE-2019-16942, CVE-2019-16943, CVE-2019-17531
Unfortunatly, this version in not in the Jackson BOM 2.9.10 and there is no patch version of BOM so we have to add an explicit dependency management to it