[jira] [Commented] (TIKA-2964) Upgrade Jackson Databind dependency to 2.9.10.1 or 2.10.0 to fix latest CVEs

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Commented] (TIKA-2964) Upgrade Jackson Databind dependency to 2.9.10.1 or 2.10.0 to fix latest CVEs

Hudson (Jira)

    [ https://issues.apache.org/jira/browse/TIKA-2964?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16950254#comment-16950254 ]

ASF GitHub Bot commented on TIKA-2964:
--------------------------------------

alexott commented on pull request #287: [TIKA-2964] Upgrade Jackson Databind to 2.10.0 to fix latest CVEs
URL: https://github.com/apache/tika/pull/287
 
 
   
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[hidden email]


> Upgrade Jackson Databind dependency to 2.9.10.1 or 2.10.0 to fix latest CVEs
> ----------------------------------------------------------------------------
>
>                 Key: TIKA-2964
>                 URL: https://issues.apache.org/jira/browse/TIKA-2964
>             Project: Tika
>          Issue Type: Bug
>          Components: parser
>    Affects Versions: 1.23
>            Reporter: Alex Ott
>            Priority: Major
>
> When compiling the latest version of the source code, following error is reported:
> {noformat}
> [ERROR] Failed to execute goal org.sonatype.ossindex.maven:ossindex-maven-plugin:3.0.4:audit (audit-dependencies) on project tika-parsers: Detected 1 vulnerable components:
> [ERROR]   com.fasterxml.jackson.core:jackson-databind:jar:2.9.10:compile; https://ossindex.sonatype.org/component/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10
> [ERROR]     * [CVE-2019-16943] A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 th... (0.0); https://ossindex.sonatype.org/vuln/f4f0c103-c9d9-4308-bd8f-489f2a632680
> [ERROR]     * [CVE-2019-16942] A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 th... (0.0); https://ossindex.sonatype.org/vuln/07632245-fcef-4eb3-82b6-aadbbfd2b33e
> {noformat}
> We need to bump version after the 2.9.10.1 is released or consider switching to 2.10 that isn't vulnerable...



--
This message was sent by Atlassian Jira
(v8.3.4#803005)