[ 
https://issues.apache.org/jira/browse/OPENNLP-1842?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Martin Wiesner updated OPENNLP-1842:
------------------------------------
    Summary: Update several dependencies on OpenNLP 1.x branch  (was: Update 
several dependency on OpenNLP 1.x branch)

> Update several dependencies on OpenNLP 1.x branch
> -------------------------------------------------
>
>                 Key: OPENNLP-1842
>                 URL: https://issues.apache.org/jira/browse/OPENNLP-1842
>             Project: OpenNLP
>          Issue Type: Dependency upgrade
>          Components: Build, Packaging and Test, UIMA Integration
>    Affects Versions: 1.9.4
>            Reporter: Martin Wiesner
>            Assignee: Martin Wiesner
>            Priority: Minor
>             Fix For: 1.9.5
>
>
> As the title says:
> Dependency: com.fasterxml.jackson.core:jackson-databind
>   Current: 2.10.1
>   Issue: Long list of deserialization/DoS CVEs: CVE-2020-25649 (XXE), 
> CVE-2020-36179/36180/36181/36182 + 2021-20190
>   (polymorphic
>     deser gadgets), CVE-2022-42003 / CVE-2022-42004 (DoS)
>   Fix to: ≥ 2.12.7.1 (min) — better a current 2.18.x
>   ────────────────────────────────────────
>   Dependency: jackson-core / jackson-annotations
>   Current: 2.10.1
>   Issue: Keep in lockstep with databind (BOM)
>   Fix to: same train as databind
>   ────────────────────────────────────────
>   Dependency: org.glassfish.jersey.* (common, client, server, 
> container-grizzly2, media-json-jackson, media-jaxb,
>     entity-filtering)
>   Current: 2.30.1
>   Issue: CVE-2021-28168 — local info disclosure via world‑readable temp file 
> in jersey-common (affects 2.28–2.33)
>   Fix to: ≥ 2.34; for Java‑8 safety use 2.35
>   ────────────────────────────────────────
>   Dependency: org.glassfish.grizzly:grizzly-http-server / -http / -framework
>   Current: 2.4.4 (2018)
>   Issue: No single high CVE pinned to 2.4.4, but very stale; HTTP 
> request-smuggling hardening landed in later 2.4.x. Pulled in
>     transitively by Jersey
>   Fix to: comes free when Jersey is bumped (2.35 → grizzly 2.4.4 still; 2.40+ 
> ships newer grizzly)
>  
> test scope:
>   - junit:4.13 → CVE-2020-15250 (TemporaryFolder info disclosure), fixed in 
> 4.13.1.
>   - commons-io:2.6 → CVE-2021-29425 (path traversal), fixed in 2.7.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to