Skip to content

com.fasterxml.jackson.core 2.9.9 has a vulnerability

Marek Szuba requested to merge securityfix/com.fasterxml.jackson.core into version/2.5

Created by: muffato

Use case

See https://github.com/Ensembl/ensembl-hive/network/alert/wrappers/java/pom.xml/com.fasterxml.jackson.core:jackson-databind/open and https://nvd.nist.gov/vuln/detail/CVE-2019-12814 for a description of the vulnerability. I'm not aware of anyone using Java and eHive (I'm only aware of plans to do so) but I thought. Let's patch this and make GitHub happy.

Description

Just bumped to 2.9.9.1. I don't want to define to an open interval as this is version/2.5, which shouldn't get any significant changes, and upstream may break the interface in a 3.* version.

Possible Drawbacks

2.9.9.1 seems compatible, so I can't see any drawbacks

Testing

Have you added/modified unit tests to test the changes?

Nothing to change.

Have you run the entire test suite and no regression was detected?

Yes. OK

Merge request reports