[
https://issues.apache.org/jira/browse/HBASE-27423?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17619110#comment-17619110
]
Andrew Kyle Purtell edited comment on HBASE-27423 at 10/17/22 9:38 PM:
-----------------------------------------------------------------------
bq. Seems 2.13.4.2 could also fix the CVEs?
The information provided comes from a Nexus IQ scan. Sonatype's knowledge base
for this one indicates the information source is the CVE. Those results do not
provide 2.13.4.2 as a fix version for both CVEs. The provided fix versions are
listed in the description of the issue as originally filed. Wherever folks have
compliance requirements predicated on the details of the CVE, which is going to
be most, it's not to the user's advantage to argue otherwise, they will all
have to explain the divergence. It's best we wait for a non RC version of
2.14.0, I think.
was (Author: apurtell):
bq. Seems 2.13.4.2 could also fix the CVEs?
The information provided comes from a Nexus IQ scan. Those results do not
provide 2.13.4.2 as a fix version for both CVEs. The provided fix versions are
listed in the description of the issue as originally filed. Wherever folks have
compliance requirements predicated on the details of the CVE, which is going to
be most, it's not to the user's advantage to argue otherwise, they will all
have to explain the divergence. It's best we wait for a non RC version of
2.14.0, I think.
> Upgrade Jackson for CVE-2022-42003/42004
> ----------------------------------------
>
> Key: HBASE-27423
> URL: https://issues.apache.org/jira/browse/HBASE-27423
> Project: HBase
> Issue Type: Bug
> Reporter: Andrew Kyle Purtell
> Priority: Major
> Fix For: 2.6.0, 3.0.0-alpha-4, 2.5.2, 2.4.16
>
>
> Jackson 2.13.4 fixes CVE-2022-42003 and databind 2.14.0-rc1 fixes
> CVE-2022-42004.
> Move jackson.version to 2.13.4.
> Move jackson.databind.version to 2.14.0-rc1.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
