Thank you kindly. We will go with jackson_databind* 2.10.5.* We also need to include* jackson_core* and *jackson_annotations *with this upgrade. Would you please recommend the most compatible release versions we should bundle with jackson_databind 2.10.5.1 for 1. jackson_annotations 2. jackson_core ?
As the upgrade patch will be used by a huge number of products across the corporate spectrum we wanted to be certain. Mistakes in the past with these combinations proved very costly. Thanks. On Tuesday, February 23, 2021 at 11:59:40 AM UTC-8 Tatu Saloranta wrote: > On Tue, Feb 23, 2021 at 11:36 AM Ron Karim (Oracle Corp.) > <[email protected]> wrote: > > > > > > Oracle corp. uses jackson_databind 2.10.2 widely across may product > lines. > > The latest CVE requires us to move to any of the following versions : > > 2.11.0, 2.10.5.1 OR 2.9.10.8 > > > > Any recommendations on which version would be the most compatible and > secure if we are currently on jackson 2.10.2 ? > > > > We are tentatively considering version 2.10.5.1. > > I would go with that: just note that for components other than > `jackson-databind` there is just 2.10.5 (you can use `jackson-bom` > version `2.10.5.20201202` to get a consistent set -- see > https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.10) > released. > > Later on it would probably make sense to upgrade to the latest 2.11 > patch, 2.11.4 (there is rarely if ever any benefit to go anything > but the latest patch of a given minor version). But as the first step, > 2.10.5.1 sounds like a good option. > > -+ Tatu +- > > > > > > > Thanks, > > Ron > > > > -- > > You received this message because you are subscribed to the Google > Groups "jackson-user" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected]. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/jackson-user/ded92846-be5d-42a9-9b72-bd40e6f416c3n%40googlegroups.com > . > -- You received this message because you are subscribed to the Google Groups "jackson-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/26702a87-859e-456f-9f02-6a2e2b5668e0n%40googlegroups.com.
