On Wed, Feb 24, 2021 at 10:41 AM Ron Karim (Oracle Corp.) <[email protected]> wrote: > > Thank you kindly. We will go with jackson_databind 2.10.5. > We also need to include jackson_core and jackson_annotations with this > upgrade. > Would you please recommend the most compatible release versions we should > bundle with jackson_databind 2.10.5.1 for > 1. jackson_annotations > 2. jackson_core ?
For jackson-core that would be 2.10.5. For jackson-annotations it does not matter as all 2.10.x versions are identical (no changes are ever made in patch releases for annotations). But for simplicity, most users go with 2.10.5. If you could import "bill-of-materials" (Bom) style parent pom, this: https://mvnrepository.com/artifact/com.fasterxml.jackson/jackson-bom/2.10.5.20201202 is what would be recommended. As can be seen from: https://repo1.maven.org/maven2/com/fasterxml/jackson/jackson-bom/2.10.5.20201202/jackson-bom-2.10.5.20201202.pom the versions it specifies are: * jackson-databind 2.10.5.1 * jackson-core 2.10.5 * jackson-annotations 2.10.5 I hope this helps, -+ Tatu +- > > As the upgrade patch will be used by a huge number of products across the > corporate spectrum we wanted to be certain. Mistakes in the past with these > combinations proved very costly. Thanks. > > > > On Tuesday, February 23, 2021 at 11:59:40 AM UTC-8 Tatu Saloranta wrote: >> >> On Tue, Feb 23, 2021 at 11:36 AM Ron Karim (Oracle Corp.) >> <[email protected]> wrote: >> > >> > >> > Oracle corp. uses jackson_databind 2.10.2 widely across may product lines. >> > The latest CVE requires us to move to any of the following versions : >> > 2.11.0, 2.10.5.1 OR 2.9.10.8 >> > >> > Any recommendations on which version would be the most compatible and >> > secure if we are currently on jackson 2.10.2 ? >> > >> > We are tentatively considering version 2.10.5.1. >> >> I would go with that: just note that for components other than >> `jackson-databind` there is just 2.10.5 (you can use `jackson-bom` >> version `2.10.5.20201202` to get a consistent set -- see >> https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.10) >> released. >> >> Later on it would probably make sense to upgrade to the latest 2.11 >> patch, 2.11.4 (there is rarely if ever any benefit to go anything >> but the latest patch of a given minor version). But as the first step, >> 2.10.5.1 sounds like a good option. >> >> -+ Tatu +- >> >> > >> > >> > Thanks, >> > Ron >> > >> > -- >> > You received this message because you are subscribed to the Google Groups >> > "jackson-user" group. >> > To unsubscribe from this group and stop receiving emails from it, send an >> > email to [email protected]. >> > To view this discussion on the web visit >> > https://groups.google.com/d/msgid/jackson-user/ded92846-be5d-42a9-9b72-bd40e6f416c3n%40googlegroups.com. > > -- > You received this message because you are subscribed to the Google Groups > "jackson-user" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jackson-user/26702a87-859e-456f-9f02-6a2e2b5668e0n%40googlegroups.com. -- You received this message because you are subscribed to the Google Groups "jackson-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/CAL4a10i1-GTFu_LH_GZ_igktEzViMGDj_D3XAeFDZzS5pwp-bA%40mail.gmail.com.
