Hi Uziel, we won't upgrade to Jackson 2.11 or 2.12 in Dropwizard 2.0.x to avoid breaking our users' applications in a patch upgrade. Since we don't use the Jackson CBOR module in Dropwizard itself, I think this is a sensible strategy.
This being said, you can probably import the Jackson 2.11 or 2.12 BOM in your build and it might just work out of the box. Cheers, Jochen > Am 14.03.2021 um 11:08 schrieb [email protected] <[email protected]>: > > Hello, > snyk.io are reporting this DoS vulnerability for jackson-dataformat-cbor > versions [0,2.11.4) || [2.12.0-rc1,2.12.1). > https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONDATAFORMAT-1047329 > This vulnerability still exist on the latest Dropwizard release (v2.0.20), > since the Jackson version used is "2.10.5.20201202" which is dependant on > jackson-bom tag "jackson-bom-2.10.5.20201202" which reference this vulnerable > cbor version. > This is fixed on version 2.11.4 and up or 2.12.1 and up. > Version 2.12.2 is on Dropwizard master for 2 months, but I don't know why it > was not released on any Dropwizard release since. > > Would you be able to tell if we have a roadmap for jackson upgrade soon? > > Thanks, > Uziel -- You received this message because you are subscribed to the Google Groups "dropwizard-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/dropwizard-user/A51A7B57-C740-47B4-8565-4B05BE0DE7C7%40schalanda.name.
