Martin Wiesner created OPENNLP-1842:
---------------------------------------

             Summary: Update several dependency on OpenNLP 1.x branch
                 Key: OPENNLP-1842
                 URL: https://issues.apache.org/jira/browse/OPENNLP-1842
             Project: OpenNLP
          Issue Type: Dependency upgrade
          Components: Build, Packaging and Test, UIMA Integration
    Affects Versions: 1.9.4
            Reporter: Martin Wiesner
            Assignee: Martin Wiesner
             Fix For: 1.9.5


As the title says:

Dependency: com.fasterxml.jackson.core:jackson-databind
  Current: 2.10.1
  Issue: Long list of deserialization/DoS CVEs: CVE-2020-25649 (XXE), 
CVE-2020-36179/36180/36181/36182 + 2021-20190
  (polymorphic
    deser gadgets), CVE-2022-42003 / CVE-2022-42004 (DoS)
  Fix to: ≥ 2.12.7.1 (min) — better a current 2.18.x
  ────────────────────────────────────────
  Dependency: jackson-core / jackson-annotations
  Current: 2.10.1
  Issue: Keep in lockstep with databind (BOM)
  Fix to: same train as databind
  ────────────────────────────────────────
  Dependency: org.glassfish.jersey.* (common, client, server, 
container-grizzly2, media-json-jackson, media-jaxb,
    entity-filtering)
  Current: 2.30.1
  Issue: CVE-2021-28168 — local info disclosure via world‑readable temp file in 
jersey-common (affects 2.28–2.33)
  Fix to: ≥ 2.34; for Java‑8 safety use 2.35
  ────────────────────────────────────────
  Dependency: org.glassfish.grizzly:grizzly-http-server / -http / -framework
  Current: 2.4.4 (2018)
  Issue: No single high CVE pinned to 2.4.4, but very stale; HTTP 
request-smuggling hardening landed in later 2.4.x. Pulled in
    transitively by Jersey
  Fix to: comes free when Jersey is bumped (2.35 → grizzly 2.4.4 still; 2.40+ 
ships newer grizzly)

 

test scope:
  - junit:4.13 → CVE-2020-15250 (TemporaryFolder info disclosure), fixed in 
4.13.1.
  - commons-io:2.6 → CVE-2021-29425 (path traversal), fixed in 2.7.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to