[jira] [Commented] (TIKA-2964) Upgrade Jackson Databind dependency to 2.9.10.1 or 2.10.0 to fix latest CVEs

Wed, 23 Oct 2019 11:10:03 -0700 


    [ 
https://issues.apache.org/jira/browse/TIKA-2964?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16958107#comment-16958107
 ] 

ASF GitHub Bot commented on TIKA-2964:
--------------------------------------

tballison commented on issue #287: [TIKA-2964] Upgrade Jackson Databind to 
2.10.0 to fix latest CVEs
URL: https://github.com/apache/tika/pull/287#issuecomment-545568253
 
 
   Done. Thank you!
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Upgrade Jackson Databind dependency to 2.9.10.1 or 2.10.0 to fix latest CVEs
> ----------------------------------------------------------------------------
>
>                 Key: TIKA-2964
>                 URL: https://issues.apache.org/jira/browse/TIKA-2964
>             Project: Tika
>          Issue Type: Bug
>          Components: parser
>    Affects Versions: 1.23
>            Reporter: Alex Ott
>            Priority: Major
>
> When compiling the latest version of the source code, following error is 
> reported:
> {noformat}
> [ERROR] Failed to execute goal 
> org.sonatype.ossindex.maven:ossindex-maven-plugin:3.0.4:audit 
> (audit-dependencies) on project tika-parsers: Detected 1 vulnerable 
> components:
> [ERROR]   com.fasterxml.jackson.core:jackson-databind:jar:2.9.10:compile; 
> https://ossindex.sonatype.org/component/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10
> [ERROR]     * [CVE-2019-16943] A Polymorphic Typing issue was discovered in 
> FasterXML jackson-databind 2.0.0 th... (0.0); 
> https://ossindex.sonatype.org/vuln/f4f0c103-c9d9-4308-bd8f-489f2a632680
> [ERROR]     * [CVE-2019-16942] A Polymorphic Typing issue was discovered in 
> FasterXML jackson-databind 2.0.0 th... (0.0); 
> https://ossindex.sonatype.org/vuln/07632245-fcef-4eb3-82b6-aadbbfd2b33e
> {noformat}
> We need to bump version after the 2.9.10.1 is released or consider switching 
> to 2.10 that isn't vulnerable...



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to