Jackson-Databind Vulnerability VULNDB-275302 Issue with quarkus

[gurdaneta]

Please, anyone can help to see when Quarkus is going to fix the issue Jackson-Databind Vulnerability VULNDB-275302, I mean the existing quarkus-universe-bom/2.6.0.CR1, has an old dependency of jackson-databind (2.12.5), and I think that one is vulnerable.

Please can you guys help me on this issue, to see the fix in the new quarkus dependency.

Regards
gu

[gastaldi]

@gurdaneta can you provide a link with more details about this?

[gastaldi]

Also 2.12.6 was released yesterday (Dec 15th) so I wouldn't call our version old

[gurdaneta]

if you see the quarkus-universe-bom the latest: 2.6.0.CR1, does not have the 2.12.6 version of jackson-databind

[gurdaneta]

https://repo1.maven.org/maven2/io/quarkus/quarkus-universe-bom/2.6.0.CR1/quarkus-universe-bom-2.6.0.CR1.pom

above is the pom for quarkus, there you can see the jackson-databind 2.12.5

[gastaldi]

I know that, my question was about where I can find more details about this vulnerability

[gsmet]

I think it's probably this one: FasterXML/jackson-databind#3328 . There's not much detail about the issue except it should be irrelevant for most users.

[gurdaneta]

you mean is not relevant?, please can you clarify that for me?

[gsmet]

See the link I posted with the position of Jackson's author. I personally am unable to judge the severity of it.

[gsmet]

We have to release a 2.5.4.Final today, that will include Jackson 2.12.6. It should be available tonight Paris time.

Be careful if you really want this fix in your app: 2.6.0.Final that I will release next week won't include Jackson as it's already built. You will have to wait for 2.6.1.Final to upgrade.