Re: Jackson vulnerabilities CVE-2017-17485 & CVE-2018-7489
> It may look like Jackson has not provided CVE fixes for these reports
> on their 2.8.x versions. That version is what is in use for Camel
> 2.20.x and 2.21.x and therefore its more tricky to do something about
> it. Camel users can try to switch to use Jackson 2.9.5 with their
> Camel 2.20.x or 2.21.x as its just a matter of selecting the JARs in
> their classpath/application.
(Always) remember about swagger dependencies... Swagger quite loosely
treats semantic versioning.
Between 1.5.17 and 1.5.18 there was jackson upgrade from 2.8.x to 2.9.x
Just my heads-up that this should be checked.
> And as Jackson is also used by Spring Boot then we are trying to align
> with the supported version of Jackson that Spring Boot uses. And Camel
> 2.20.x and 2.21.x is using Spring Boot 1.5.x.
> And Jackson has sometimes in-compatability issues so its not always an
> easy upgrade.
> On Mon, Apr 16, 2018 at 1:00 PM, David Atkins <davidatkinsuk@xxxxxxxxx>
> > Hello,
> > I've recently ran a dependency check on the camel-jackson 2.21.0 and
> > it appears that the version of jackson being used (2.8.10) has two
> > High/Severe vulnerabilities.
> > To fix this for camel-jackson we'll need to upgrade as follows:
> > CVE-2017-17485 - Jackson 2.9.3 or greater
> > CVE-2018-7489 - Jackson 2.9.5 or greater
> > I can see that the parent pom on the mainline has been upgraded to
> > 2.9.4 (as part of spring boot 2 migration), so that covers
> > CVE-2017-17485 'for free'
> > More information available here:
> > https://nvd.nist.gov/vuln/detail/CVE-2017-17485
> > https://nvd.nist.gov/vuln/detail/CVE-2018-7489
> > Shall I raise a JIRA to address this (possible as two separate tickets
> > to track both issues?)
> > Thanks,
> > David
> Claus Ibsen
> http://davsclaus.com @davsclaus
> Camel in Action 2: https://www.manning.com/ibsen2