[
https://issues.apache.org/jira/browse/OPENNLP-1842?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Martin Wiesner resolved OPENNLP-1842.
-------------------------------------
Resolution: Fixed
> Update several dependency on OpenNLP 1.x branch
> -----------------------------------------------
>
> Key: OPENNLP-1842
> URL: https://issues.apache.org/jira/browse/OPENNLP-1842
> Project: OpenNLP
> Issue Type: Dependency upgrade
> Components: Build, Packaging and Test, UIMA Integration
> Affects Versions: 1.9.4
> Reporter: Martin Wiesner
> Assignee: Martin Wiesner
> Priority: Minor
> Fix For: 1.9.5
>
>
> As the title says:
> Dependency: com.fasterxml.jackson.core:jackson-databind
> Current: 2.10.1
> Issue: Long list of deserialization/DoS CVEs: CVE-2020-25649 (XXE),
> CVE-2020-36179/36180/36181/36182 + 2021-20190
> (polymorphic
> deser gadgets), CVE-2022-42003 / CVE-2022-42004 (DoS)
> Fix to: ≥ 2.12.7.1 (min) — better a current 2.18.x
> ────────────────────────────────────────
> Dependency: jackson-core / jackson-annotations
> Current: 2.10.1
> Issue: Keep in lockstep with databind (BOM)
> Fix to: same train as databind
> ────────────────────────────────────────
> Dependency: org.glassfish.jersey.* (common, client, server,
> container-grizzly2, media-json-jackson, media-jaxb,
> entity-filtering)
> Current: 2.30.1
> Issue: CVE-2021-28168 — local info disclosure via world‑readable temp file
> in jersey-common (affects 2.28–2.33)
> Fix to: ≥ 2.34; for Java‑8 safety use 2.35
> ────────────────────────────────────────
> Dependency: org.glassfish.grizzly:grizzly-http-server / -http / -framework
> Current: 2.4.4 (2018)
> Issue: No single high CVE pinned to 2.4.4, but very stale; HTTP
> request-smuggling hardening landed in later 2.4.x. Pulled in
> transitively by Jersey
> Fix to: comes free when Jersey is bumped (2.35 → grizzly 2.4.4 still; 2.40+
> ships newer grizzly)
>
> test scope:
> - junit:4.13 → CVE-2020-15250 (TemporaryFolder info disclosure), fixed in
> 4.13.1.
> - commons-io:2.6 → CVE-2021-29425 (path traversal), fixed in 2.7.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)