You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@flink.apache.org by "Flink Jira Bot (Jira)" <ji...@apache.org> on 2022/07/09 22:39:00 UTC
[jira] [Updated] (FLINK-27293) CVE-2020-36518 in flink-shaded jackson
[ https://issues.apache.org/jira/browse/FLINK-27293?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Flink Jira Bot updated FLINK-27293:
-----------------------------------
Labels: pull-request-available stale-major (was: pull-request-available)
I am the [Flink Jira Bot|https://github.com/apache/flink-jira-bot/] and I help the community manage its development. I see this issues has been marked as Major but is unassigned and neither itself nor its Sub-Tasks have been updated for 60 days. I have gone ahead and added a "stale-major" to the issue". If this ticket is a Major, please either assign yourself or give an update. Afterwards, please remove the label or in 7 days the issue will be deprioritized.
> CVE-2020-36518 in flink-shaded jackson
> --------------------------------------
>
> Key: FLINK-27293
> URL: https://issues.apache.org/jira/browse/FLINK-27293
> Project: Flink
> Issue Type: Technical Debt
> Components: BuildSystem / Shaded
> Reporter: Spencer Deehring
> Priority: Major
> Labels: pull-request-available, stale-major
>
> jackson-databind contains a CVE and is pulled in via jackson-bom located here: [https://github.com/apache/flink-shaded/blob/master/flink-shaded-jackson-parent/pom.xml#L38]
> This needs to be updated to versionĀ
> {code:java}
> 2.12.6.20220326{code}
> as noted here: [https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.12#micro-patches]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)