[GitHub] [beam] bvolpato opened a new pull request, #26410: Bump Jackson dependency due to CVE-2022-1471

Mon, 24 Apr 2023 21:10:15 -0700 


bvolpato opened a new pull request, #26410:
URL: https://github.com/apache/beam/pull/26410

   
[jackson-dataformat-yaml:2.14.1](https://mvnrepository.com/artifact/com.fasterxml.jackson.dataformat/jackson-dataformat-yaml/2.14.1)
 included SnakeYAML 1.33, which is within 
[CVE-2022-1471](https://nvd.nist.gov/vuln/detail/CVE-2022-1471)'s range.
   
   
[jackson-dataformat-yaml:2.15.0](https://mvnrepository.com/artifact/com.fasterxml.jackson.dataformat/jackson-dataformat-yaml/2.15.0)
 updated to SnakeYAML 2.0, which has fixed vulnerabilities.
   
   There was some discussion about the dependency on the dev mailing list 
(https://lists.apache.org/thread/jcwvgttjsmxyqkc01rwzhd8zjxjk99h4), but 
https://github.com/apache/beam/pull/25350 was abandoned because it's not 
exploitable.
   
   Even though SnakeYAML has a statement about it 
(https://github.com/snakeyaml/snakeyaml#cve), it is nice to be on a version 
range that is considered safe.
   
   
   ------------------------
   
   To check the build health, please visit 
[https://github.com/apache/beam/blob/master/.test-infra/BUILD_STATUS.md](https://github.com/apache/beam/blob/master/.test-infra/BUILD_STATUS.md)
   
   GitHub Actions Tests Status (on master branch)
   
------------------------------------------------------------------------------------------------
   [![Build python source distribution and 
wheels](https://github.com/apache/beam/workflows/Build%20python%20source%20distribution%20and%20wheels/badge.svg?branch=master&event=schedule)](https://github.com/apache/beam/actions?query=workflow%3A%22Build+python+source+distribution+and+wheels%22+branch%3Amaster+event%3Aschedule)
   [![Python 
tests](https://github.com/apache/beam/workflows/Python%20tests/badge.svg?branch=master&event=schedule)](https://github.com/apache/beam/actions?query=workflow%3A%22Python+Tests%22+branch%3Amaster+event%3Aschedule)
   [![Java 
tests](https://github.com/apache/beam/workflows/Java%20Tests/badge.svg?branch=master&event=schedule)](https://github.com/apache/beam/actions?query=workflow%3A%22Java+Tests%22+branch%3Amaster+event%3Aschedule)
   [![Go 
tests](https://github.com/apache/beam/workflows/Go%20tests/badge.svg?branch=master&event=schedule)](https://github.com/apache/beam/actions?query=workflow%3A%22Go+tests%22+branch%3Amaster+event%3Aschedule)
   
   See [CI.md](https://github.com/apache/beam/blob/master/CI.md) for more 
information about GitHub Actions CI.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to