(kafka) branch 4.0 updated: MINOR: Update jackson due to CVE (#21614)

Mon, 02 Mar 2026 09:18:53 -0800 

This is an automated email from the ASF dual-hosted git repository.

chia7712 pushed a commit to branch 4.0
in repository https://gitbox.apache.org/repos/asf/kafka.git


The following commit(s) were added to refs/heads/4.0 by this push:
     new d139c56df0d MINOR: Update jackson due to CVE (#21614)
d139c56df0d is described below

commit d139c56df0d17ca487714a0a3071673a87970528
Author: Viktor Somogyi-Vass <[email protected]>
AuthorDate: Mon Mar 2 18:16:53 2026 +0100

    MINOR: Update jackson due to CVE (#21614)
    
    A jackson-core vulnerability was discovered while making the second RC
    for 4.0.2:
    [https:
    
//www.miggo.io/vulnerability-database/cve/GHSA-72hv-8253-57qq](https://www.miggo.io/vulnerability-database/cve/GHSA-72hv-8253-57qq)
    
    Reviewers: Josep Prat <[email protected]>, Chia-Ping Tsai
    <[email protected]>
---
 LICENSE-binary             | 20 ++++++++++----------
 gradle/dependencies.gradle |  2 +-
 2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/LICENSE-binary b/LICENSE-binary
index 6ef883e9ad3..daeb31876b0 100644
--- a/LICENSE-binary
+++ b/LICENSE-binary
@@ -212,16 +212,16 @@ License Version 2.0:
 - commons-lang3-3.18.0
 - commons-logging-1.3.5
 - commons-validator-1.10.1
-- jackson-annotations-2.16.2
-- jackson-core-2.16.2
-- jackson-databind-2.16.2
-- jackson-dataformat-csv-2.16.2
-- jackson-dataformat-yaml-2.16.2
-- jackson-datatype-jdk8-2.16.2
-- jackson-jakarta-rs-base-2.16.2
-- jackson-jakarta-rs-json-provider-2.16.2
-- jackson-module-blackbird-2.16.2
-- jackson-module-jakarta-xmlbind-annotations-2.16.2
+- jackson-annotations-2.18.6
+- jackson-core-2.18.6
+- jackson-databind-2.18.6
+- jackson-dataformat-csv-2.18.6
+- jackson-dataformat-yaml-2.18.6
+- jackson-datatype-jdk8-2.18.6
+- jackson-jakarta-rs-base-2.18.6
+- jackson-jakarta-rs-json-provider-2.18.6
+- jackson-module-blackbird-2.18.6
+- jackson-module-jakarta-xmlbind-annotations-2.18.6
 - jakarta.inject-api-2.0.1
 - jakarta.validation-api-3.0.2
 - javassist-3.29.2-GA
diff --git a/gradle/dependencies.gradle b/gradle/dependencies.gradle
index fa6714ef702..e855fba9619 100644
--- a/gradle/dependencies.gradle
+++ b/gradle/dependencies.gradle
@@ -66,7 +66,7 @@ versions += [
   gradle: "8.10.2",
   grgit: "4.1.1",
   httpclient: "4.5.14",
-  jackson: "2.16.2",
+  jackson: "2.18.6",
   jacoco: "0.8.10",
   javassist: "3.29.2-GA",
   jetty: "12.0.25",

Reply via email to