[FOLIO-3563] folio-core-schema: Bump spring-context, jackson-databind-nullable, jackson-annotations Created: 24/Aug/22  Updated: 29/Aug/22  Resolved: 29/Aug/22

Status: Closed
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Bug Priority: P3
Reporter: Julian Ladisch Assignee: Pavlo Smahin
Resolution: Done Votes: 0
Labels: security, security-reviewed
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Relates
relates to FOLIO-3515 Archive folio-core-schema? Open
Sprint:
Development Team: Spring Force
RCA Group: Related dependency upgrade

 Description   

Upgrade spring-context from 5.3.13 to 5.3.22 fixing Remote Code Execution
in sub-dependency spring-beans https://nvd.nist.gov/vuln/detail/CVE-2022-22965

Upgrade jackson-databind-nullable from 0.2.1 to 0.2.3 fixing Deserialization of Untrusted Data in sub-dependency jackson-databind https://nvd.nist.gov/vuln/detail/CVE-2019-12384

Upgrade jackson-annotations from 2.13.0 to 2.13.3 to be in sync with jackson-databind.



 Comments   
Comment by Ann-Marie Breaux (Inactive) [ 25/Aug/22 ]

Hi Julian Ladisch Which dev team should this be assigned to? Could you update that, and also the RCA value? Thank you!

Comment by Craig McNally [ 25/Aug/22 ]

Jakub Skoczen This repo isn't represented in the Team vs Module matrix on the wiki, we guessed it's something that Spring Force could take on.

Comment by Julian Ladisch [ 29/Aug/22 ]

Pavlo Smahin : Please code review the PR: https://github.com/folio-org/folio-core-schema/pull/2

Another options is to archive the repository. It is not used at all: https://github.com/search?q=org%3Afolio-org+folio-core-schema&type=code

For details see https://dev.folio.org/faqs/how-to-archive-repository/

Generated at Thu Feb 08 23:29:03 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.