Security Vulnerability - Jackson #302
Milestone
Comments
RyanBard
pushed a commit
to RyanBard/jjwt
that referenced
this issue
Mar 2, 2018
* Updates jacksone-databind version to 2.8.11.1 to fix CVE-2017-17485 Signed-off-by: John Bard <[email protected]>
RyanBard
pushed a commit
to RyanBard/jjwt
that referenced
this issue
Mar 2, 2018
* Updates jackson-databind version to 2.8.11.1 to fix CVE-2017-17485 Signed-off-by: John Bard <[email protected]>
|
PR: #306 |
|
Can it be prioritized, mb minor version release? Quite scary to live with that. |
|
We'll get it out when we can, for sure. In the meantime, the quick workaround is using a maven <exclude> directive when depending on JJWT and then explicitly using the Jackson version you want to as a runtime dependency. |
4 tasks
lhazlewood
added a commit
that referenced
this issue
Jul 5, 2018
closes #302: Update jackson version
|
Merged to 0.9.x branch pending release. |
|
0.9.1 has been released. Please allow 15-30 minutes for the release to propagate to Maven Central. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Please upgrade to Jackson databind 2.8.11 or 2.9.4 to address an important security vulnerability: FasterXML/jackson-databind#1904
The text was updated successfully, but these errors were encountered: