Hello
> It may look like Jackson has not provided CVE fixes for these reports > on their 2.8.x versions. That version is what is in use for Camel > 2.20.x and 2.21.x and therefore its more tricky to do something about > it. Camel users can try to switch to use Jackson 2.9.5 with their > Camel 2.20.x or 2.21.x as its just a matter of selecting the JARs in > their classpath/application. > (Always) remember about swagger dependencies... Swagger quite loosely treats semantic versioning. Between 1.5.17 and 1.5.18 there was jackson upgrade from 2.8.x to 2.9.x Just my heads-up that this should be checked. regards Grzegorz Grzybek > And as Jackson is also used by Spring Boot then we are trying to align > with the supported version of Jackson that Spring Boot uses. And Camel > 2.20.x and 2.21.x is using Spring Boot 1.5.x. > > And Jackson has sometimes in-compatability issues so its not always an > easy upgrade. > > > > > On Mon, Apr 16, 2018 at 1:00 PM, David Atkins <davidatkin...@gmail.com> > wrote: > > Hello, > > > > I've recently ran a dependency check on the camel-jackson 2.21.0 and > > it appears that the version of jackson being used (2.8.10) has two > > High/Severe vulnerabilities. > > > > To fix this for camel-jackson we'll need to upgrade as follows: > > > > CVE-2017-17485 - Jackson 2.9.3 or greater > > CVE-2018-7489 - Jackson 2.9.5 or greater > > > > I can see that the parent pom on the mainline has been upgraded to > > 2.9.4 (as part of spring boot 2 migration), so that covers > > CVE-2017-17485 'for free' > > > > More information available here: > > > > https://nvd.nist.gov/vuln/detail/CVE-2017-17485 > > https://nvd.nist.gov/vuln/detail/CVE-2018-7489 > > > > Shall I raise a JIRA to address this (possible as two separate tickets > > to track both issues?) > > > > Thanks, > > > > David > > > > -- > Claus Ibsen > ----------------- > http://davsclaus.com @davsclaus > Camel in Action 2: https://www.manning.com/ibsen2 >
