[
https://issues.apache.org/jira/browse/ZOOKEEPER-4628?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17737581#comment-17737581
]
AvnerW commented on ZOOKEEPER-4628:
-----------------------------------
Are there any plans to upgrade jackson-databind, jackson-core etc. to 2.15.x
for the next ZK releases 3.8.2/3.9.0?
There are few scanner reports about 2.13.x (e.g.: sonatype-2022-6438).
> CVE-2022-42003 CVE-2022-42004 HIGH: upgrade jackson-databind-2.13.3.jar to
> 2.13.4.1
> -----------------------------------------------------------------------------------
>
> Key: ZOOKEEPER-4628
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4628
> Project: ZooKeeper
> Issue Type: Task
> Components: security
> Affects Versions: 3.5.10, 3.8.0, 3.7.1
> Reporter: Ivo Dujmovic
> Priority: Critical
> Labels: pull-request-available
> Time Spent: 40m
> Remaining Estimate: 0h
>
> Two High issues
> [https://nvd.nist.gov/vuln/detail/CVE-2022-42003]
> [https://nvd.nist.gov/vuln/detail/CVE-2022-42004]
> affect jackson version 2.13.3 which zk should update to 2.13.4.1
> Other projects have done this, but Zookeeper has not.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
