You are viewing a plain text version of this content. The canonical link for it is here.
Posted to github@beam.apache.org by GitBox <gi...@apache.org> on 2022/06/04 12:47:27 UTC
[GitHub] [beam] damccorm opened a new issue, #19707: Get rid of jackson to avoid the continuous flow of CVEs in Jackson
damccorm opened a new issue, #19707:
URL: https://github.com/apache/beam/issues/19707
Jackson keeps having CVE on all releases of databind and transitively beam sdk java core has CVE on all its releases (for the record, when writing this issue you must use at least jackson-databind 2.9.9.2 but last week it was 2.9.9.1 and 2.14 didn't get the fix).
Can be neat to get rid of jackson which does not fix this issue for a very long time now and just use JSON-B or another JSON impl to ensure the CVE is not usable because beam is there.
Imported from Jira [BEAM-7881](https://issues.apache.org/jira/browse/BEAM-7881). Original Jira may contain additional context.
Reported by: romain.manni-bucau.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@beam.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [beam] cowtowncoder commented on issue #19707: Get rid of jackson to avoid the continuous flow of CVEs in Jackson
Posted by GitBox <gi...@apache.org>.
cowtowncoder commented on issue #19707:
URL: https://github.com/apache/beam/issues/19707#issuecomment-1153413253
FWTW Jackson 2.10.x and later are not vulnerable to this class of CVEs so this particular problem is no longer relevant.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@beam.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org