Skip to content

Upgrade Jackson Databind Version

David Diederich requested to merge upgrade-jackson-databind into master

This MR upgrades the Jackson Databind version to address CVE-2020-36518.

In this case, version 2.13.2 was being selected automatically. That version was still vulnerable, though the Tagging Notes didn't catch it (because it coerces versions into a triplet).

Dependency Information After the Upgrade

Branch: upgrade-jackson-databind
SHA:    d2923b9f8aff20fcbed4af1652074ff529c50ec3
Maven:  0.16.0-SNAPSHOT
Maven Dependencies Root
os-core-common 0.15.0
(3rd Party) com.fasterxml.jackson.core.jackson-databind 2.13.2.2
Edited by David Diederich

Merge request reports