You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@jena.apache.org by "Andy Seaborne (Jira)" <ji...@apache.org> on 2019/11/10 17:38:00 UTC

[jira] [Commented] (JENA-1779) Update Jackson dependency to 2.10.0.

    [ https://issues.apache.org/jira/browse/JENA-1779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16971167#comment-16971167 ] 

Andy Seaborne commented on JENA-1779:
-------------------------------------

Rather than update to 2.9.10.1, the proposal is to switch to 2.10.0, overriding the jsonld-java setting until that moves to 2.10.0 (at jsonld-java 0.13.0). jsonld-java 0.12.5 does build and pass tests with no changes using 2.10.0. See https://github.com/jsonld-java/jsonld-java/pull/273.

jackson 2.10.0 fixes the underlying design issue; 2.9.x only changes the black/white lists for data polymorphism.

Data polymorphism is not used by jsonld-java nor Jena.




> Update Jackson dependency to 2.10.0.
> ------------------------------------
>
>                 Key: JENA-1779
>                 URL: https://issues.apache.org/jira/browse/JENA-1779
>             Project: Apache Jena
>          Issue Type: Task
>    Affects Versions: Jena 3.13.1
>            Reporter: Andy Seaborne
>            Assignee: Andy Seaborne
>            Priority: Major
>             Fix For: Jena 3.14.0
>
>
> CVE-2019-16942
> *Vulnerable versions:* < jackson-databind-2.9.10.1
> *Patched version:* jackson-databind-2.9.10.1
> bq. A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)