We will be using these 3 jars for our latest jackson libraries update due to recent CVEs: Assuming that jackson_annotations and jackson_core version 2.10.5 will be compatible with jackson_databind 2.10.5.1
jackson_databind 2.10.5.1 from : https://repo1.maven.org/maven2/com/fasterxml/jackson/core/jackson-databind/2.10.5.1/ jackson_annotations.jar 2.10.5 from : https://repo1.maven.org/maven2/com/fasterxml/jackson/core/jackson-annotations/2.10.5/ jackson_core.jar 2.10.5 https://repo1.maven.org/maven2/com/fasterxml/jackson/core/jackson-core/2.10.5/ Kindly let us know if there will be any issuew with this patch bundle (going out to all users) On Wednesday, February 24, 2021 at 10:41:51 AM UTC-8 Ron Karim (Oracle Corp.) wrote: > Thank you kindly. We will go with jackson_databind* 2.10.5.1* > We also need to include* jackson_core* and *jackson_annotations *with > this upgrade. > Would you please recommend the most compatible release versions we should > bundle with jackson_databind 2.10.5.1 for > 1. jackson_annotations > 2. jackson_core ? > > As the upgrade patch will be used by a huge number of products across the > corporate spectrum we wanted to be certain. Mistakes in the past with these > combinations proved very costly. Thanks. > > > > On Tuesday, February 23, 2021 at 11:59:40 AM UTC-8 Tatu Saloranta wrote: > >> On Tue, Feb 23, 2021 at 11:36 AM Ron Karim (Oracle Corp.) >> <ron....@gmail.com> wrote: >> > >> > >> > Oracle corp. uses jackson_databind 2.10.2 widely across may product >> lines. >> > The latest CVE requires us to move to any of the following versions : >> > 2.11.0, 2.10.5.1 OR 2.9.10.8 >> > >> > Any recommendations on which version would be the most compatible and >> secure if we are currently on jackson 2.10.2 ? >> > >> > We are tentatively considering version 2.10.5.1. >> >> I would go with that: just note that for components other than >> `jackson-databind` there is just 2.10.5 (you can use `jackson-bom` >> version `2.10.5.20201202` to get a consistent set -- see >> https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.10) >> released. >> >> Later on it would probably make sense to upgrade to the latest 2.11 >> patch, 2.11.4 (there is rarely if ever any benefit to go anything >> but the latest patch of a given minor version). But as the first step, >> 2.10.5.1 sounds like a good option. >> >> -+ Tatu +- >> >> > >> > >> > Thanks, >> > Ron >> > >> > -- >> > You received this message because you are subscribed to the Google >> Groups "jackson-user" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an email to jackson-user...@googlegroups.com. >> > To view this discussion on the web visit >> https://groups.google.com/d/msgid/jackson-user/ded92846-be5d-42a9-9b72-bd40e6f416c3n%40googlegroups.com. >> >> >> > -- You received this message because you are subscribed to the Google Groups "jackson-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to jackson-user+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/3ed2fa26-18a1-4ec7-aa1d-a78864ca73cen%40googlegroups.com.