You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@camel.apache.org by "Hugo Veillette (Jira)" <ji...@apache.org> on 2022/10/31 22:32:00 UTC
[jira] [Comment Edited] (CAMEL-18621) Vulnerabilities identified with jackson-databind dependency
[ https://issues.apache.org/jira/browse/CAMEL-18621?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17626870#comment-17626870 ]
Hugo Veillette edited comment on CAMEL-18621 at 10/31/22 10:31 PM:
-------------------------------------------------------------------
[~acosentino] , do you mind expanding about micro releases?
Generally speaking, the ask seems to be legit.
Apply nonbreaking updates from dependencies in Camel LTS versions.
So that we can get security patch, hot fix, and so on.
Bumping Jackson from 2.13 to 2.14 is likely to induce breaking changes across modules, that plus the delays to wait for the next major version (2.14) to be released.
It's unclear to me why FasterXML chose to go with a micro-patch rather than minor given version 2.13 is still open and new minor releases are still expected. [Jackson Releases · FasterXML/jackson Wiki · GitHub|https://github.com/FasterXML/jackson/wiki/Jackson-Releases#open-branches]
I raise the question [Why micro-patch in open branch 2.13? · Issue #3648 · FasterXML/jackson-databind (github.com)|https://github.com/FasterXML/jackson-databind/issues/3648]
Camel 3.18.2 is attached to jackson-databind 2.13.3
[https://repo1.maven.org/maven2/org/apache/camel/camel-jackson/3.18.2/camel-jackson-3.18.2.pom]
Why not simply bump to 2.13.4.2 and wait for 2.14 ?
was (Author: JIRAUSER297743):
[~acosentino] , do you mind expanding about micro releases?
Generally speaking, the ask seems to be legit.
Apply nonbreaking updates from dependencies in Camel LTS versions.
So that we can get security patch, hot fix, and so on.
Bumping Jackson from 2.13 to 2.14 is likely to induce breaking changes across modules, that plus the delays to wait for the next major version (2.14) to be released.
It's unclear to me why FasterXML chose to go with a micro-patch rather than minor given version 2.13 is still open and new minor releases are still expected. [Jackson Releases · FasterXML/jackson Wiki · GitHub|https://github.com/FasterXML/jackson/wiki/Jackson-Releases#open-branches]
Camel 3.18.2 is attached to jackson-databind 2.13.3
[https://repo1.maven.org/maven2/org/apache/camel/camel-jackson/3.18.2/camel-jackson-3.18.2.pom]
Why not simply bump to 2.13.4.2 and wait for 2.14 ?
> Vulnerabilities identified with jackson-databind dependency
> -----------------------------------------------------------
>
> Key: CAMEL-18621
> URL: https://issues.apache.org/jira/browse/CAMEL-18621
> Project: Camel
> Issue Type: Dependency upgrade
> Components: camel-jackson
> Affects Versions: 3.18.2, 3.19.0
> Reporter: Sasikumar Muthukrishnan Sampath
> Priority: Minor
> Fix For: 3.20.0
>
>
> There are two new vulnerabilities identified with jackson-databind dependency. Please upgrade the jackson dependency version to 2.14.x
> [CVE-2022-42003|https://github.com/advisories/GHSA-rgv9-q543-rqg4]
> [CVE-2022-42004|https://github.com/advisories/GHSA-rgv9-q543-rqg4].
--
This message was sent by Atlassian Jira
(v8.20.10#820010)