[
https://issues.apache.org/jira/browse/ZOOKEEPER-3699?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17018724#comment-17018724
]
Enrico Olivelli commented on ZOOKEEPER-3699:
--------------------------------------------
We should step away from Jackson.
Btw it is the very most used library, so maybe in the mid term we could see it
come back again.
In the short term doing it will save us a few cycles for this kind of issues
> upgrade jackson-databind to address CVE-2019-20330
> --------------------------------------------------
>
> Key: ZOOKEEPER-3699
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-3699
> Project: ZooKeeper
> Issue Type: Bug
> Components: security
> Affects Versions: 3.6.0, 3.5.6, 3.7.0
> Reporter: Patrick D. Hunt
> Priority: Blocker
>
> owasp is flagging
> https://builds.apache.org/view/S-Z/view/ZooKeeper/job/zookeeper-master-maven-owasp/329/console
> > [ERROR] jackson-databind-2.9.10.1.jar: CVE-2019-20330
> "FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache
> blocking"
> I don't believe we use "ehcache" but we should upgrade asap.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
