You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@james.apache.org by bt...@apache.org on 2022/05/05 02:54:00 UTC

[james-project] branch 3.7.x updated: [UPGRADE] jackson 2.13.1 -> 2.13.2.2 fixes CVE-2020-36518 [3.7.x] (#982)

This is an automated email from the ASF dual-hosted git repository.

btellier pushed a commit to branch 3.7.x
in repository https://gitbox.apache.org/repos/asf/james-project.git


The following commit(s) were added to refs/heads/3.7.x by this push:
     new 8f5c7a0301 [UPGRADE] jackson 2.13.1 -> 2.13.2.2 fixes CVE-2020-36518 [3.7.x] (#982)
8f5c7a0301 is described below

commit 8f5c7a030135051e8c80bfccf593e411bb01ada9
Author: Benoit TELLIER <bt...@linagora.com>
AuthorDate: Thu May 5 09:53:56 2022 +0700

    [UPGRADE] jackson 2.13.1 -> 2.13.2.2 fixes CVE-2020-36518 [3.7.x] (#982)
    
    https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-2421244
    
    com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.
    
    Affected versions of this package are vulnerable to Denial of Service (DoS) via a large depth of nested objects.
---
 pom.xml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/pom.xml b/pom.xml
index 70d0878923..fa470beeb0 100644
--- a/pom.xml
+++ b/pom.xml
@@ -614,7 +614,8 @@
         <cucumber.version>2.4.0</cucumber.version>
 
         <pax-logging-api.version>1.6.4</pax-logging-api.version>
-        <jackson.version>2.13.1</jackson.version>
+        <jackson.version>2.13.2</jackson.version>
+        <jackson.databind.version>2.13.2.2</jackson.databind.version>
         <feign.version>11.8</feign.version>
         <feign-form.version>3.8.0</feign-form.version>
         <jjwt.version>0.11.2</jjwt.version>
@@ -2073,7 +2074,7 @@
             <dependency>
                 <groupId>com.fasterxml.jackson.core</groupId>
                 <artifactId>jackson-databind</artifactId>
-                <version>${jackson.version}</version>
+                <version>${jackson.databind.version}</version>
             </dependency>
             <dependency>
                 <groupId>com.fasterxml.jackson.datatype</groupId>


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org