Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2020-36518 - bump jackson from 2.11.2 to 2.13.3 #464

Merged
merged 3 commits into from
Jul 13, 2022

Conversation

gtedesc0
Copy link
Contributor

@gtedesc0 gtedesc0 commented Jul 12, 2022

Bumps jackson from 2.11.2 to 2.13.3.

https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-core

Signed-off-by: Gustavo Tedesco [email protected]

Copy link

@rangeldaykes rangeldaykes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@pierDipi pierDipi added this to the 2.4 milestone Jul 13, 2022
@pierDipi pierDipi self-requested a review July 13, 2022 07:31
@pierDipi pierDipi modified the milestones: 2.4.0, 3.0.0 Jul 13, 2022
@pierDipi pierDipi changed the title [Snyk] Security upgrade jackson [Snyk] Security upgrade jackson - bump jackson from 2.11.2 to 2.13.3 Jul 13, 2022
@gtedesc0
Copy link
Contributor Author

@pierDipi Do you have any predictions for the acceptance of this PR?

@pierDipi
Copy link
Member

@gtedesc0 can you add the reason for this bump in the PR body? is the fix you're looking for available in a patch release of Jackson?
A minor version bump would require a major release of SDK since that might break binary compatibility.

@gtedesc0
Copy link
Contributor Author

@gtedesc0 can you add the reason for this bump in the PR body? is the fix you're looking for available in a patch release of Jackson? A minor version bump would require a major release of SDK since that might break binary compatibility.

The reason for this bump, correct vulnerability bellow
1 vulnerability

@pierDipi
Copy link
Member

Thanks!

Copy link
Member

@pierDipi pierDipi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Thanks!

@pierDipi pierDipi merged commit f35e6e6 into cloudevents:master Jul 13, 2022
@pierDipi pierDipi changed the title [Snyk] Security upgrade jackson - bump jackson from 2.11.2 to 2.13.3 CVE-2020-36518 - bump jackson from 2.11.2 to 2.13.3 Jul 13, 2022
@gtedesc0
Copy link
Contributor Author

@pierDipi Do you have a forecast to enter a version 2.3.1?

@pierDipi
Copy link
Member

As I wrote here #464 (comment), we need a 3.0.0 unless there is a fix in patch version of Jackson for 2.11 that we can use

@pierDipi
Copy link
Member

pierDipi commented Jul 13, 2022

I will try to see if there are other major features or fixes to include in 3.0.0 and then I will cut a release

@pierDipi
Copy link
Member

fwiw, in my projects, I override Jackson's version with my own version [1] and [2]

[1] https://github.com/knative-sandbox/eventing-kafka-broker/blob/e4782fbc237d7575a7bfbd05f6bc549e5dbcd09e/data-plane/pom.xml#L269-L279
[2] https://github.com/knative-sandbox/eventing-kafka-broker/blob/e4782fbc237d7575a7bfbd05f6bc549e5dbcd09e/data-plane/pom.xml#L212-L218

you would need to make sure that everything still works as expected with the new Jackson's version in your system but that's another option to get the fix earlier.

@gtedesc0
Copy link
Contributor Author

@pierDipi thank you so much!

@pierDipi pierDipi removed this from the 3.0.0 milestone Sep 8, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants