-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Shaded version of Jackson Databind affected by CVE-2020-25649 #35
Comments
Any chances to get a fix for this or an official statement saying that ibm-cos-sdk-java is not affected? |
This notice came in after the code freeze for our latest release. At the time I did try making these as last-minute updates, but there were several test failures that we did not have time to investigate. The upstream AWS project still uses an even older version for Java 6 compatibility, which may be a complicating factor. We are tracking this internally. |
Thanks @IBMeric |
We inherit the jackson-databind dependency from the upstream AWS S3 SDK. The AWS S3 stance is that they are not vulnerable to several CVEs as evidenced here: aws/aws-sdk-java#2096. We will address it as soon as AWS S3 addresses it and makes a release available, or if we are able to do it independent of them without uncovering issues in this quarter. |
@IBMeric seems that AWS S3 SDK v2 has already addressed this issue: aws/aws-sdk-java-v2#2207 |
@IBMeric any updates? Thanks |
@tcherel This has already been fixed and will appear in our mid-March release. |
This is excellent news. Thanks @IBMeric |
This issue has been resolved in 2.9.1. |
The version of Jackson Databind (
2.10.2
) that is shaded within thebundle
is affected by CVE-2020-25649 and is affecting security scans for components that embed thebundle
jar.The text was updated successfully, but these errors were encountered: