Upgrade to Jackson 2.9.5 #12638
Upgrade to Jackson 2.9.5 #12638
Conversation
Upgrade to jackson 2.9.5 to fix the CVE-2018-7489 in the version 2.9.4
spring-projects-issues
added
the
status: waiting-for-triage
|
Thanks for the PR. We have a semi-automated process that takes care of dependency upgrades like this. Running that process has just highlighted that many of 2.9.5's modules are not yet in Maven Central. We'll get to this upgrade in due course and before Boot 2.0.1 is released. Thanks anyway. |
wilkinsona
added
status: declined
|
@wilkinsona can you have an open issue that people can subscribe to? And only close it if a new release contains a fix? |
|
Looks like fix is in master https://github.com/spring-projects/spring-boot/blob/master/spring-boot-project/spring-boot-dependencies/pom.xml |
|
Correction, 2.0.0 release does not have the fix https://github.com/spring-projects/spring-boot/blob/v2.0.0.RELEASE/spring-boot-project/spring-boot-dependencies/pom.xml Do you mind still having an open issue until a release goes out with a fix? |
|
@sgleske-ias Issues are closed when they are fixed, regardless of if a release is out or not. In this case issue #12639 shows the upgrade happened in commit 14b8e75 an is in milestone 2.0.1. The milestone page shows that 2.0.1 is still open and is due to be released on April 5. |
|
Thanks for the heads up @philwebb . I'll check back days following April 5th and see what updates are in the project. 👍 |
|
@philwebb are there any plans to backport the fix to the 1.5 series of spring-boot? |
|
@sgleske-ias No 1.5.x will remain on the 2.8.x line of Jackson. |
Upgrade to jackson 2.9.5 to fix the CVE-2018-7489 (FasterXML/jackson-databind#1931)