Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update to Jackson 2.9.10.20191020 #2988

Merged
merged 1 commit into from Oct 20, 2019

Conversation

@msymons
Copy link
Contributor

msymons commented Oct 20, 2019

Problem:

As per #2987, jackson 2.910 has three newly-discovered threats: CVE-2019-16942, CVE-2019-16943, CVE-2019-17531. Each has a CVSS v3.1 score of 9.8

Solution:

Bump jackson.version to 2.9.10.20191020. This updates jackson-databind to 2.9.10.1 but does not change anything else.

Update jackson.version from 2.9.10 to 2.9.10.20191020
This addresses threats CVE-2019-16942, CVE-2019-16943, CVE-2019-17531
@joschi joschi added this to the 1.3.16 milestone Oct 20, 2019
@joschi joschi added the bug label Oct 20, 2019
@joschi joschi self-assigned this Oct 20, 2019
@joschi joschi changed the title Update jackson version to 2.9.10.20191020 Update to Jackson 2.9.10.20191020 Oct 20, 2019
@joschi joschi merged commit 7fa41c7 into dropwizard:release/1.3.x Oct 20, 2019
3 checks passed
3 checks passed
ci/circleci Your tests passed on CircleCI!
Details
continuous-integration/appveyor/pr AppVeyor build succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.