could someone please confirm what Jackson databind versions are impacted ? we are using 2.7.1 version .
On Tue, Dec 12, 2017 at 9:45 AM, Lukasz Lenart <lukaszlen...@apache.org> wrote: > 2017-12-12 15:29 GMT+01:00 Emi <em...@encs.concordia.ca>: > > Hello, > >> > >> vulnerability exists in a JSON Jackson library and it's registered under > >> CVE-2017-7525. > > > > I think you mean the following jars right? > > > > (1) jackson-core-2.9.2.jar > > (2) jackson-annotations-2.9.0.jar > > (3) jackson-databind-2.9.2.jar > > I didn't analyse which jars are affected by the CVE but I think you > are right and mostly it will be jackson-databind only. > > >> Please read the bulletin [1] and apply possible > >> solutions. This vulnerability impacts anyone using the vulnerable > >> Jackson JSON library (not only Struts users). > >> > >> [1] https://cwiki.apache.org/confluence/display/WW/S2-055 > > > > So, if do not use the above jars, it should be fine? > > Yes > > > Regards > -- > Ćukasz > + 48 606 323 122 http://www.lenart.org.pl/ > > --------------------------------------------------------------------- > To unsubscribe, e-mail: user-unsubscr...@struts.apache.org > For additional commands, e-mail: user-h...@struts.apache.org > >
