[ https://issues.apache.org/jira/browse/ZOOKEEPER-4628?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17737581#comment-17737581 ]
AvnerW commented on ZOOKEEPER-4628: ----------------------------------- Are there any plans to upgrade jackson-databind, jackson-core etc. to 2.15.x for the next ZK releases 3.8.2/3.9.0? There are few scanner reports about 2.13.x (e.g.: sonatype-2022-6438). > CVE-2022-42003 CVE-2022-42004 HIGH: upgrade jackson-databind-2.13.3.jar to > 2.13.4.1 > ----------------------------------------------------------------------------------- > > Key: ZOOKEEPER-4628 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4628 > Project: ZooKeeper > Issue Type: Task > Components: security > Affects Versions: 3.5.10, 3.8.0, 3.7.1 > Reporter: Ivo Dujmovic > Priority: Critical > Labels: pull-request-available > Time Spent: 40m > Remaining Estimate: 0h > > Two High issues > [https://nvd.nist.gov/vuln/detail/CVE-2022-42003] > [https://nvd.nist.gov/vuln/detail/CVE-2022-42004] > affect jackson version 2.13.3 which zk should update to 2.13.4.1 > Other projects have done this, but Zookeeper has not. -- This message was sent by Atlassian Jira (v8.20.10#820010)