tika-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (Jira)" <j...@apache.org>
Subject [jira] [Commented] (TIKA-2964) Upgrade Jackson Databind dependency to 2.9.10.1 or 2.10.0 to fix latest CVEs
Date Wed, 23 Oct 2019 18:09:00 GMT

    [ https://issues.apache.org/jira/browse/TIKA-2964?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16958108#comment-16958108
] 

ASF GitHub Bot commented on TIKA-2964:
--------------------------------------

tballison commented on pull request #287: [TIKA-2964] Upgrade Jackson Databind to 2.10.0 to
fix latest CVEs
URL: https://github.com/apache/tika/pull/287
 
 
   
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


> Upgrade Jackson Databind dependency to 2.9.10.1 or 2.10.0 to fix latest CVEs
> ----------------------------------------------------------------------------
>
>                 Key: TIKA-2964
>                 URL: https://issues.apache.org/jira/browse/TIKA-2964
>             Project: Tika
>          Issue Type: Bug
>          Components: parser
>    Affects Versions: 1.23
>            Reporter: Alex Ott
>            Priority: Major
>
> When compiling the latest version of the source code, following error is reported:
> {noformat}
> [ERROR] Failed to execute goal org.sonatype.ossindex.maven:ossindex-maven-plugin:3.0.4:audit
(audit-dependencies) on project tika-parsers: Detected 1 vulnerable components:
> [ERROR]   com.fasterxml.jackson.core:jackson-databind:jar:2.9.10:compile; https://ossindex.sonatype.org/component/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10
> [ERROR]     * [CVE-2019-16943] A Polymorphic Typing issue was discovered in FasterXML
jackson-databind 2.0.0 th... (0.0); https://ossindex.sonatype.org/vuln/f4f0c103-c9d9-4308-bd8f-489f2a632680
> [ERROR]     * [CVE-2019-16942] A Polymorphic Typing issue was discovered in FasterXML
jackson-databind 2.0.0 th... (0.0); https://ossindex.sonatype.org/vuln/07632245-fcef-4eb3-82b6-aadbbfd2b33e
> {noformat}
> We need to bump version after the 2.9.10.1 is released or consider switching to 2.10
that isn't vulnerable...



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message