Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update jackson-databind to 2.11.0 #464

Merged
merged 2 commits into from
Jan 20, 2021
Merged

Update jackson-databind to 2.11.0 #464

merged 2 commits into from
Jan 20, 2021

Conversation

darveshsingh
Copy link
Contributor

Changes

Version bump of jackson-databind to 2.11.0

References:

CVE-2020-25649

@darveshsingh darveshsingh requested a review from a team as a code owner December 17, 2020 00:10
@darveshsingh darveshsingh changed the title Fix: updated jackson-databind to 2.10.0.pr3 to block CVE-2020-25649 Fix: updated jackson-databind to 2.11.0 to block CVE-2020-25649 Dec 17, 2020
@jimmyjames jimmyjames self-assigned this Dec 22, 2020
@jimmyjames
Copy link
Contributor

Thanks for the PR! However, the fix for that CVE is included in 2.10.5.1. Looking at the decompiled classes in the 2.10.5.1 jar also shows that the fix is included there.

I'm not opposed to updating our version of Jackson in general, but I'd probably wait for the first patch release of the 2.12 stream (or at least take the latest patch of 2.11), and look at other dependency updates at the same time.

@lbalmaceda
Copy link
Contributor

@darveshsingh 2.12 is out. Do you want to update the PR with that change?

@lbalmaceda lbalmaceda added the waiting for customer This issue is waiting for a response from the issue or PR author label Jan 4, 2021
@darveshsingh
Copy link
Contributor Author

darveshsingh commented Jan 4, 2021
edited
Loading

@darveshsingh 2.12 is out. Do you want to update the PR with that change?

Yes @lbalmaceda

@darveshsingh
Copy link
Contributor Author

darveshsingh commented Jan 15, 2021
edited
Loading

@darveshsingh 2.12 is out. Do you want to update the PR with that change?

Hi @lbalmaceda, @lukeZhangMengxi and @jimmyjames ,

Hope you guys are doing good.!
Just a request/reminder to please approve the PR. :)

@lbalmaceda lbalmaceda added this to the v3-Next milestone Jan 20, 2021
@lbalmaceda lbalmaceda merged commit 63812af into auth0:master Jan 20, 2021
@jimmyjames jimmyjames added CH: Changed and removed waiting for customer This issue is waiting for a response from the issue or PR author labels Jan 20, 2021
@jimmyjames jimmyjames changed the title Fix: updated jackson-databind to 2.11.0 to block CVE-2020-25649 Update jackson-databind to 2.11.0 Jan 20, 2021
@jimmyjames jimmyjames modified the milestones: v3-Next, 3.12.1 Jan 20, 2021
@jimmyjames jimmyjames mentioned this pull request Jan 20, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rockycookie rockycookie rockycookie left review comments

@lbalmaceda lbalmaceda lbalmaceda approved these changes

Assignees

@jimmyjames jimmyjames

Labels
CH: Changed
Projects
None yet
Milestone
3.12.1
Development

Successfully merging this pull request may close these issues.
4 participants
@darveshsingh @jimmyjames @lbalmaceda @rockycookie