-
Notifications
You must be signed in to change notification settings - Fork 147
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security - CVE-2017-17485 & CVE-2018-5968 on Jackson dependency #327
Comments
see the mentioned pull request for the fix |
…cted by CVE: https://nvd.nist.gov/vuln/detail/CVE-2018-5968 The issue and pull request has been submitted to Jongo project, but not yet part of a release: bguerout/jongo#327 In the meantime, the fix is to force version of dependency jackson-databind to 2.9.4.
Hello, I can see that the fixing PR #326 is now merged and planned to be part of milestone 1.4.0, but there are still a few open issues planned as well, blocking the release. Could you to do a hotfix release in the meantime (to have this security fix part of the release)? Thank you. |
Hello 1.3.1 and 1.4.0 have been released. 1.3.1: Jackson fixAcces(true) and Jackson update to 2.7.9 You can find more informations here: https://github.com/bguerout/jongo/releases |
Hello,
running owasp dependendency-check on a project using jongo will cause the error below because jongo uses a version of jackon-databind affected by CVE-2017-17485 & CVE-2018-5968.
The text was updated successfully, but these errors were encountered: