[
https://issues.apache.org/jira/browse/SOLR-13112?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16837401#comment-16837401
]
Cassandra Targett commented on SOLR-13112:
------------------------------------------
[~krisden], I wasn't sure if I'd have time today, so offline I asked if Hoss
would do it for me but he hasn't started it yet. Since you did the original
commit and you have the time, I'm fine if you don't mind doing it.
> Upgrade jackson to 2.9.8
> ------------------------
>
> Key: SOLR-13112
> URL: https://issues.apache.org/jira/browse/SOLR-13112
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Affects Versions: 7.6
> Environment: RedHat Linux. May run from RHEL versions 5, 6 or 7
> but this issue is from Sonatype component scan and should be independent of
> Linux platform version.
> Reporter: RobertHathaway
> Assignee: Kevin Risden
> Priority: Major
> Fix For: 7.7.2, 8.1, master (9.0)
>
> Attachments: SOLR-13112.patch
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> We can't move to Solr 7 without fixing this issue flagged by Sonatype scan Of
> Solr - 7.6.0 Build,
> Using Scanner 1.56.0-01
> Threat Level 8 Against Solr v7.6. com.fasterxml.jackson.core :
> jackson-databind : 2.9.6
> FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to
> execute arbitrary code by leveraging failure to block the slf4j-ext class
> from polymorphic deserialization.
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14718
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
