There's a CVE in Jackson 2.11.x that isn't fixed, so it probably makes sense to upgrade to 2.13.x?
Colm. On Fri, Apr 8, 2022 at 4:08 PM Daniel Kulp <dk...@apache.org> wrote: > > > Andriy, > > I just tried pushing the update to 1.6.6 to 3.4.x, but it’s failing in the > Karaf validation. 1.6.6 apparently requires Jackson 2.13 whereas 3.4 uses > 2.11. Thus, the choice is to also upgrade Jackson or keep on 1.6.5. Any > thoughts? > > Dan > > > > > On Apr 8, 2022, at 10:51 AM, Andriy Redko <drr...@gmail.com> wrote: > > > > Hi Dan, > > > > Sorry for late notice, may I push 1 commit to 3.4.x (Swagger update) > > before the release? Thanks! > > > > Best Regards, > > Andriy Redko > > > > DK> I plan on doing the builds tomorrow. If there are any last minute > > updates/changes, please get them in ASAP. > > > > DK> Thanks! > > DK> Dan > > > > > > > > > >>> On Apr 7, 2022, at 7:31 AM, Colm O hEigeartaigh <cohei...@apache.org> > >>> wrote: > > > >>> Hi Dan, > > > >>> We are ready to go for 3.5.2 and 3.4.7 whenever you can do the releases. > > > >>> Colm. > > > >>> On Thu, Apr 7, 2022 at 2:36 AM Jim Ma <mail2ji...@gmail.com> wrote: > > > > > > > >>>> On Thu, Apr 7, 2022 at 5:25 AM Andriy Redko <drr...@gmail.com> wrote: > > > >>>>> Hey Colm, > > > >>>>> https://issues.apache.org/jira/browse/CXF-8683 is moved to next > >>>>> release, for > >>>>> https://issues.apache.org/jira/browse/CXF-8668 we already have PRs > >>>>> open, @Jim > >>>>> could you please wrap them up? Thank you! > > > > > >>>> It can be merged. I added these changes to the 3.5.x and 3.4.x branch. > > > > > > > >>>>> Best Regards, > >>>>> Andriy Redko > > > > > >>>>> COh> We still have these two issues as "To Do", shall we defer them to > >>>>> the > >>>>> COh> next release? > > > >>>>> COh> https://issues.apache.org/jira/browse/CXF-8668 > >>>>> COh> https://issues.apache.org/jira/browse/CXF-8683 > > > >>>>> COh> Colm. > > > >>>>> COh> On Wed, Apr 6, 2022 at 11:33 AM Jim Ma <mail2ji...@gmail.com> > >>>>> wrote: > > > >>>>>>> +1 > > > >>>>>>> On Tue, Apr 5, 2022 at 8:59 PM Colm O hEigeartaigh > >>>>>>> <cohei...@apache.org> wrote: > > > >>>>>>>> Hi, > > > >>>>>>>> We've received a JIRA request to get new releases out due to the > >>>>>>>> recent Spring CVE issue. I think it's reasonable due to the publicity > >>>>>>>> surrounding the issue, and also we have quite a few issues fixed > >>>>>>>> since > >>>>>>>> the last releases. > > > >>>>>>>> WDYT - can we aim to call a vote in around a week or so? > > > >>>>>>>> Colm. > > > > > > -- > Daniel Kulp > dk...@apache.org <mailto:dk...@apache.org> > Talend - https://talend.com <https://talend.com/> >
