[FOLIO-3563] folio-core-schema: Bump spring-context, jackson-databind-nullable, jackson-annotations Created: 24/Aug/22 Updated: 29/Aug/22 Resolved: 29/Aug/22 |
|
| Status: | Closed |
| Project: | FOLIO |
| Components: | None |
| Affects versions: | None |
| Fix versions: | None |
| Type: | Bug | Priority: | P3 |
| Reporter: | Julian Ladisch | Assignee: | Pavlo Smahin |
| Resolution: | Done | Votes: | 0 |
| Labels: | security, security-reviewed | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original estimate: | Not Specified | ||
| Issue links: |
|
||||||||
| Sprint: | |||||||||
| Development Team: | Spring Force | ||||||||
| RCA Group: | Related dependency upgrade | ||||||||
| Description |
|
Upgrade spring-context from 5.3.13 to 5.3.22 fixing Remote Code Execution Upgrade jackson-databind-nullable from 0.2.1 to 0.2.3 fixing Deserialization of Untrusted Data in sub-dependency jackson-databind https://nvd.nist.gov/vuln/detail/CVE-2019-12384 Upgrade jackson-annotations from 2.13.0 to 2.13.3 to be in sync with jackson-databind. |
| Comments |
| Comment by Ann-Marie Breaux (Inactive) [ 25/Aug/22 ] |
|
Hi Julian Ladisch Which dev team should this be assigned to? Could you update that, and also the RCA value? Thank you! |
| Comment by Craig McNally [ 25/Aug/22 ] |
|
Jakub Skoczen This repo isn't represented in the Team vs Module matrix on the wiki, we guessed it's something that Spring Force could take on. |
| Comment by Julian Ladisch [ 29/Aug/22 ] |
|
Pavlo Smahin : Please code review the PR: https://github.com/folio-org/folio-core-schema/pull/2 Another options is to archive the repository. It is not used at all: https://github.com/search?q=org%3Afolio-org+folio-core-schema&type=code For details see https://dev.folio.org/faqs/how-to-archive-repository/ |