Martin Wiesner created OPENNLP-1842:
---------------------------------------
Summary: Update several dependency on OpenNLP 1.x branch
Key: OPENNLP-1842
URL: https://issues.apache.org/jira/browse/OPENNLP-1842
Project: OpenNLP
Issue Type: Dependency upgrade
Components: Build, Packaging and Test, UIMA Integration
Affects Versions: 1.9.4
Reporter: Martin Wiesner
Assignee: Martin Wiesner
Fix For: 1.9.5
As the title says:
Dependency: com.fasterxml.jackson.core:jackson-databind
Current: 2.10.1
Issue: Long list of deserialization/DoS CVEs: CVE-2020-25649 (XXE),
CVE-2020-36179/36180/36181/36182 + 2021-20190
(polymorphic
deser gadgets), CVE-2022-42003 / CVE-2022-42004 (DoS)
Fix to: ≥ 2.12.7.1 (min) — better a current 2.18.x
────────────────────────────────────────
Dependency: jackson-core / jackson-annotations
Current: 2.10.1
Issue: Keep in lockstep with databind (BOM)
Fix to: same train as databind
────────────────────────────────────────
Dependency: org.glassfish.jersey.* (common, client, server,
container-grizzly2, media-json-jackson, media-jaxb,
entity-filtering)
Current: 2.30.1
Issue: CVE-2021-28168 — local info disclosure via world‑readable temp file in
jersey-common (affects 2.28–2.33)
Fix to: ≥ 2.34; for Java‑8 safety use 2.35
────────────────────────────────────────
Dependency: org.glassfish.grizzly:grizzly-http-server / -http / -framework
Current: 2.4.4 (2018)
Issue: No single high CVE pinned to 2.4.4, but very stale; HTTP
request-smuggling hardening landed in later 2.4.x. Pulled in
transitively by Jersey
Fix to: comes free when Jersey is bumped (2.35 → grizzly 2.4.4 still; 2.40+
ships newer grizzly)
test scope:
- junit:4.13 → CVE-2020-15250 (TemporaryFolder info disclosure), fixed in
4.13.1.
- commons-io:2.6 → CVE-2021-29425 (path traversal), fixed in 2.7.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)