I think the branch is already cut, I am thinking should we wait for the package restructuring branch merge (for 1.0.0 release) and then commit or commit now. Would like to see what folks think.
Best, Sandeep On Fri, Dec 15, 2017 at 1:45 PM, Philip Zampino <pzamp...@gmail.com> wrote: > It may depend on whether the 0.14.0 branch has been created yet or not. > > On Fri, Dec 15, 2017 at 12:46 PM, Colm O hEigeartaigh (JIRA) < > j...@apache.org> wrote: > > > > > [ https://issues.apache.org/jira/browse/KNOX-1145?page= > > com.atlassian.jira.plugin.system.issuetabpanels:comment- > > tabpanel&focusedCommentId=16292900#comment-16292900 ] > > > > Colm O hEigeartaigh commented on KNOX-1145: > > ------------------------------------------- > > > > Any objections to this patch for master? > > > > > Upgrade Jackson due to CVE-2017-7525 > > > ------------------------------------ > > > > > > Key: KNOX-1145 > > > URL: https://issues.apache.org/jira/browse/KNOX-1145 > > > Project: Apache Knox > > > Issue Type: Improvement > > > Reporter: Colm O hEigeartaigh > > > Assignee: Colm O hEigeartaigh > > > Fix For: 1.0.0 > > > > > > Attachments: KNOX-1145.patch > > > > > > > > > Apache Knox currently ships the Jackson databind jar version 2.2.2. > > However, there is a security advisory CVE-2017-7525 released for this > > component: > > > https://github.com/FasterXML/jackson-databind/issues/1599 > > > We should upgrade Jackson to pick this fix up. > > > > > > > > -- > > This message was sent by Atlassian JIRA > > (v6.4.14#64029) > > >
