You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tika.apache.org by "Tim Allison (Jira)" <ji...@apache.org> on 2020/04/21 19:25:00 UTC
[jira] [Resolved] (TIKA-2964) Upgrade Jackson Databind dependency
to 2.9.10.1 or 2.10.0 to fix latest CVEs
[ https://issues.apache.org/jira/browse/TIKA-2964?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tim Allison resolved TIKA-2964.
-------------------------------
Fix Version/s: 1.24
Resolution: Fixed
I feel like we should leave this open as an evergreen issue.
> Upgrade Jackson Databind dependency to 2.9.10.1 or 2.10.0 to fix latest CVEs
> ----------------------------------------------------------------------------
>
> Key: TIKA-2964
> URL: https://issues.apache.org/jira/browse/TIKA-2964
> Project: Tika
> Issue Type: Bug
> Components: parser
> Affects Versions: 1.23
> Reporter: Alex Ott
> Priority: Major
> Fix For: 1.24
>
>
> When compiling the latest version of the source code, following error is reported:
> {noformat}
> [ERROR] Failed to execute goal org.sonatype.ossindex.maven:ossindex-maven-plugin:3.0.4:audit (audit-dependencies) on project tika-parsers: Detected 1 vulnerable components:
> [ERROR] com.fasterxml.jackson.core:jackson-databind:jar:2.9.10:compile; https://ossindex.sonatype.org/component/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.10
> [ERROR] * [CVE-2019-16943] A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 th... (0.0); https://ossindex.sonatype.org/vuln/f4f0c103-c9d9-4308-bd8f-489f2a632680
> [ERROR] * [CVE-2019-16942] A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 th... (0.0); https://ossindex.sonatype.org/vuln/07632245-fcef-4eb3-82b6-aadbbfd2b33e
> {noformat}
> We need to bump version after the 2.9.10.1 is released or consider switching to 2.10 that isn't vulnerable...
--
This message was sent by Atlassian Jira
(v8.3.4#803005)