Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump jackson-bom to 2.13.4.20221013 (upgrade to jackson-databind 2.13.4.2) #4618

Merged
merged 1 commit into from Nov 7, 2022
Merged

Bump jackson-bom to 2.13.4.20221013 (upgrade to jackson-databind 2.13.4.2) #4618

merged 1 commit into from Nov 7, 2022

Conversation

Malax
Copy link
Contributor

@Malax Malax commented Oct 21, 2022
edited

There is CVE-2022-42003 for jackson-databind 2.13.4, which is fixed in the next point release 2.13.4.1.

I didn't check if redisson is actually vulnerable. But bumping the dependency to an unaffected version will at least silence any vulnerability scanners when redisson is used.

@Malax
Bump jackson-bom to 2.13.4.20221013
7576f84 
Signed-off-by: Manuel Fuchs <manuel.fuchs@salesforce.com>
@Malax Malax changed the title Bump jackson to 2.13.4.1 Bump jackson-bom to 2.13.4.20221013 (upgrade to jackson-databind 2.13.4.2) Oct 21, 2022
mrniko
mrniko requested changes Nov 3, 2022
View reviewed changes
pom.xml
@@ -182,7 +182,7 @@
<dependency>
<groupId>com.fasterxml.jackson</groupId>
<artifactId>jackson-bom</artifactId>
<version>2.13.4</version>
<version>2.13.4.20221013</version>
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess version should be 2.13.4.2

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't see 2.13.4.2 for jackson-bom here: https://search.maven.org/artifact/com.fasterxml.jackson/jackson-bom. What am I missing?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As explained in FasterXML/jackson-databind#3590

"2.13.4.2 micro-patch (jackson-bom 2.13.4.20221013). (NOTE: 2.13.4.1/2.13.4.20221012 have an issue that affects Gradle users)"

@Gregory-Widmer Gregory-Widmer mentioned this pull request Nov 5, 2022
Closed
@mrniko mrniko added this to the 3.17.8 milestone Nov 7, 2022
@mrniko mrniko merged commit 6a2d97f into redisson:master Nov 7, 2022
@mrniko
Copy link
Member

mrniko commented Nov 7, 2022

Thank you for contribution!

@Malax Malax deleted the malax/bump-jackson branch November 15, 2022 10:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Gregory-Widmer Gregory-Widmer Gregory-Widmer left review comments

@mrniko mrniko mrniko approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
3.18.0
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@Malax @mrniko @Gregory-Widmer