FasterXML jackson-databind versions 2.x through 2.9.9.1 are vulnerable.
we will use 2.9.9.3 for jackson-databind only
Issue-ID: VID-640
Signed-off-by: Amichai Hemli <amichai.hemli@intl.att.com>
Change-Id: I537cb83ad787522b75fdee59ffabb51def747096
<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
<epsdk.version>2.5.0</epsdk.version>
<jackson.version>2.9.9</jackson.version>
+ <jackson.databind.version>2.9.9.3</jackson.databind.version>
<springframework.version>5.1.9.RELEASE</springframework.version>
<!-- epsdk-core is importing this class, which is only on spring-orm 4 but not in orm 5:
org.springframework.orm.hibernate4.HibernateTransactionManager
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
- <version>${jackson.version}</version>
+ <version>${jackson.databind.version}</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.module</groupId>
so following orm.version lets epsdk-core find it -->
<hibernate.version>4.3.11.Final</hibernate.version>
<jackson.version>2.9.9</jackson.version>
+ <jackson.databind.version>2.9.9.3</jackson.databind.version>
<jersey.version>2.29</jersey.version>
<surefire.version>2.22.1</surefire.version>
<selenium.version>3.141.59</selenium.version>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
- <version>${jackson.version}</version>
+ <version>${jackson.databind.version}</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.module</groupId>
<springframework.version>5.1.9.RELEASE</springframework.version>
<jersey.version>2.29</jersey.version>
<jackson.version>2.9.9</jackson.version>
+ <jackson.databind.version>2.9.9.3</jackson.databind.version>
<aspectj.version>1.8.10</aspectj.version>
<selenium.version>3.6.0</selenium.version>
<log4j.version>2.12.0</log4j.version>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
- <version>${jackson.version}</version>
+ <version>${jackson.databind.version}</version>
</dependency>
<dependency>
<groupId>commons-beanutils</groupId>
<encoding>UTF-8</encoding>
<springframework.version>5.1.9.RELEASE</springframework.version>
<hibernate.version>5.3.4.Final</hibernate.version>
- <jackson.version>2.9.8</jackson.version>
+ <jackson.version>2.9.9</jackson.version>
+ <jackson.databind.version>2.9.9.3</jackson.databind.version>
<!-- Skip assembling the zip by default -->
<skipassembly>true</skipassembly>
<!-- Tests usually require some setup that maven cannot do, so skip. -->
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
- <version>${jackson.version}</version>
+ <version>${jackson.databind.version}</version>
</dependency>
<dependency>
<groupId>javax.xml.bind</groupId>
<encoding>UTF-8</encoding>
<!--<springframework.version>5.1.6.RELEASE</springframework.version>-->
<!--<hibernate.version>4.3.11.Final</hibernate.version>-->
- <!--<jackson.version>2.6.3</jackson.version>-->
<!-- Skip assembling the zip by default -->
<skipassembly>true</skipassembly>
<!-- Tests usually require some setup that maven cannot do, so skip. -->
Code Review / vid.git / commitdiff