Dependecy Update required #932
Comments
|
Hi @tomheisner We generally try to pick up these changes as soon as we can based on updates from the dependency providers you've noted. In this case we have a release coming up very soon* anyway, so we'll almost certainly hold that to catch this update. *Hopefully this week, subject to Christmas disruption. |
|
Hi @twoseat, |
|
This was entirely my oversite - I thought I'd grabbed the latest Brussels already, but clearly had not. The 2.x line is no longer being developed, but I'm looking at releasing a 2.34.1 to pick this up and give it a proper send-off! |
Hi Team,
the fasterXML Jackson dependecy has a couple of CVE in the currently used version.
Fixes are present (at least for some of them).
FasterXML/jackson-databind#2186
In the current 2.33.0.RELEASE / 3.14.0.RELEASE we have the following depedencies:
################
2.33.0.RELEASE
Current: https://mvnrepository.com/artifact/io.spring.platform/platform-bom/Brussels-SR14 > Jackson Databind 2.8.11.2
Could be updated to SR15 would contain the mentioend version 2.8.11.3 >
https://mvnrepository.com/artifact/io.spring.platform/platform-bom/Brussels-SR15
################
3.14.0.RELEASE > spring-boot-dependencies:2.0.5.RELEASE
Fix for FasterXML was released 3 days ago and is not yet reflected in the spring-boot-dependencies:
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8 on https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-dependencies
So this would need some more cross checking.
Its available at: https://search.maven.org/artifact/com.fasterxml.jackson.core/jackson-databind/2.9.8/bundle
################
Cold you please let me know how is the common process and timelines for such security related dependency updates?
Thanks Tom!
The text was updated successfully, but these errors were encountered: