You are viewing a plain text version of this content. The canonical link for it is here.
Posted to oak-commits@jackrabbit.apache.org by fo...@apache.org on 2021/07/01 06:47:30 UTC
[jackrabbit-oak] branch trunk updated: OAK-9479: upgrade
jackson-databind to 2.10.5.1 (#307)
This is an automated email from the ASF dual-hosted git repository.
fortino pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/jackrabbit-oak.git
The following commit(s) were added to refs/heads/trunk by this push:
new 274f924 OAK-9479: upgrade jackson-databind to 2.10.5.1 (#307)
274f924 is described below
commit 274f92402a12978040939965e92ee4519f2ce1c3
Author: Fabrizio Fortino <fa...@gmail.com>
AuthorDate: Thu Jul 1 08:47:23 2021 +0200
OAK-9479: upgrade jackson-databind to 2.10.5.1 (#307)
* OAK-9479: [oak-search-elastic] upgrade jackson-databind to 2.10.5.1
* OAK-9479: upgrade jackson to avoid CVE-2020-25649 vulnerability
---
oak-parent/pom.xml | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/oak-parent/pom.xml b/oak-parent/pom.xml
index 09f7005..2b0948f 100644
--- a/oak-parent/pom.xml
+++ b/oak-parent/pom.xml
@@ -63,7 +63,10 @@
<guava.version>15.0</guava.version>
<guava.osgi.import>com.google.common.*;version="[15.0,21)"</guava.osgi.import>
<derby.version>10.14.2.0</derby.version>
- <jackson.version>2.10.3</jackson.version>
+ <jackson.version>2.10.5</jackson.version>
+ <!-- jackson-databind versions prior to 2.10.5.1 are affected by security vulnerability CVE-2020-25649.
+ When upgrading jackson, try to align them to the same version -->
+ <jackson.databind.version>2.10.5.1</jackson.databind.version>
<java.version>1.8</java.version>
<java.version.signature>java18</java.version.signature>
@@ -690,7 +693,7 @@
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
- <version>${jackson.version}</version>
+ <version>${jackson.databind.version}</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.dataformat</groupId>