On Tue, Feb 23, 2021 at 11:36 AM Ron Karim (Oracle Corp.) <[email protected]> wrote: > > > Oracle corp. uses jackson_databind 2.10.2 widely across may product lines. > The latest CVE requires us to move to any of the following versions : > 2.11.0, 2.10.5.1 OR 2.9.10.8 > > Any recommendations on which version would be the most compatible and secure > if we are currently on jackson 2.10.2 ? > > We are tentatively considering version 2.10.5.1.
I would go with that: just note that for components other than `jackson-databind` there is just 2.10.5 (you can use `jackson-bom` version `2.10.5.20201202` to get a consistent set -- see https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.10) released. Later on it would probably make sense to upgrade to the latest 2.11 patch, 2.11.4 (there is rarely if ever any benefit to go anything but the latest patch of a given minor version). But as the first step, 2.10.5.1 sounds like a good option. -+ Tatu +- > > > Thanks, > Ron > > -- > You received this message because you are subscribed to the Google Groups > "jackson-user" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jackson-user/ded92846-be5d-42a9-9b72-bd40e6f416c3n%40googlegroups.com. -- You received this message because you are subscribed to the Google Groups "jackson-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/CAL4a10itPD7u1vOuh5MQCyBRvObjX3c-ZZ%3DAyt_RDqEA_Ub_Mg%40mail.gmail.com.
