You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@jena.apache.org by "Andy Seaborne (JIRA)" <ji...@apache.org> on 2019/03/29 10:21:00 UTC

[jira] [Resolved] (JENA-1696) Update jsonld-java and its Jackson dependencies

     [ https://issues.apache.org/jira/browse/JENA-1696?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Andy Seaborne resolved JENA-1696.
---------------------------------
    Resolution: Fixed

> Update jsonld-java and its Jackson dependencies
> -----------------------------------------------
>
>                 Key: JENA-1696
>                 URL: https://issues.apache.org/jira/browse/JENA-1696
>             Project: Apache Jena
>          Issue Type: Task
>    Affects Versions: Jena 3.10.0
>            Reporter: Andy Seaborne
>            Assignee: Andy Seaborne
>            Priority: Major
>             Fix For: Jena 3.11.0
>
>          Time Spent: 1h 10m
>  Remaining Estimate: 0h
>
> Jackson databind has been a source security CVE issues.
> While jsonld-java does not appear to depend on the attacked feature (polymorphic binding), the presense of jackson jars with CVEs cause alters from security scanning tools.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Re: [jira] [Resolved] (JENA-1696) Update jsonld-java and its Jackson dependencies

Posted by Andy Seaborne <an...@apache.org>.

This is about FasterXML-Jackson -- JSON, not XML.

     Andy

On 29/03/2019 13:40, Claude Warren wrote:
> Does this change remove the woodstox xml parser?  There are issues with how
> that parser functions such that de-serializing TRIX statements may fail.  I
> encountered this before and the discussion about the parser can be found
> here:
> https://github.com/FasterXML/woodstox/issues/57
> 
> On Fri, Mar 29, 2019 at 10:21 AM Andy Seaborne (JIRA) <ji...@apache.org>
> wrote:
> 
>>
>>       [
>> https://issues.apache.org/jira/browse/JENA-1696?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
>> ]
>>
>> Andy Seaborne resolved JENA-1696.
>> ---------------------------------
>>      Resolution: Fixed
>>
>>> Update jsonld-java and its Jackson dependencies
>>> -----------------------------------------------
>>>
>>>                  Key: JENA-1696
>>>                  URL: https://issues.apache.org/jira/browse/JENA-1696
>>>              Project: Apache Jena
>>>           Issue Type: Task
>>>     Affects Versions: Jena 3.10.0
>>>             Reporter: Andy Seaborne
>>>             Assignee: Andy Seaborne
>>>             Priority: Major
>>>              Fix For: Jena 3.11.0
>>>
>>>           Time Spent: 1h 10m
>>>   Remaining Estimate: 0h
>>>
>>> Jackson databind has been a source security CVE issues.
>>> While jsonld-java does not appear to depend on the attacked feature
>> (polymorphic binding), the presense of jackson jars with CVEs cause alters
>> from security scanning tools.
>>
>>
>>
>> --
>> This message was sent by Atlassian JIRA
>> (v7.6.3#76005)
>>
> 
>

Re: [jira] [Resolved] (JENA-1696) Update jsonld-java and its Jackson dependencies

Posted by Claude Warren <cl...@xenei.com>.

Does this change remove the woodstox xml parser?  There are issues with how
that parser functions such that de-serializing TRIX statements may fail.  I
encountered this before and the discussion about the parser can be found
here:
https://github.com/FasterXML/woodstox/issues/57

On Fri, Mar 29, 2019 at 10:21 AM Andy Seaborne (JIRA) <ji...@apache.org>
wrote:

>
>      [
> https://issues.apache.org/jira/browse/JENA-1696?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
> ]
>
> Andy Seaborne resolved JENA-1696.
> ---------------------------------
>     Resolution: Fixed
>
> > Update jsonld-java and its Jackson dependencies
> > -----------------------------------------------
> >
> >                 Key: JENA-1696
> >                 URL: https://issues.apache.org/jira/browse/JENA-1696
> >             Project: Apache Jena
> >          Issue Type: Task
> >    Affects Versions: Jena 3.10.0
> >            Reporter: Andy Seaborne
> >            Assignee: Andy Seaborne
> >            Priority: Major
> >             Fix For: Jena 3.11.0
> >
> >          Time Spent: 1h 10m
> >  Remaining Estimate: 0h
> >
> > Jackson databind has been a source security CVE issues.
> > While jsonld-java does not appear to depend on the attacked feature
> (polymorphic binding), the presense of jackson jars with CVEs cause alters
> from security scanning tools.
>
>
>
> --
> This message was sent by Atlassian JIRA
> (v7.6.3#76005)
>


-- 
I like: Like Like - The likeliest place on the web
<http://like-like.xenei.com>
LinkedIn: http://www.linkedin.com/in/claudewarren