It may depend on whether the 0.14.0 branch has been created yet or not. On Fri, Dec 15, 2017 at 12:46 PM, Colm O hEigeartaigh (JIRA) < j...@apache.org> wrote:
> > [ https://issues.apache.org/jira/browse/KNOX-1145?page= > com.atlassian.jira.plugin.system.issuetabpanels:comment- > tabpanel&focusedCommentId=16292900#comment-16292900 ] > > Colm O hEigeartaigh commented on KNOX-1145: > ------------------------------------------- > > Any objections to this patch for master? > > > Upgrade Jackson due to CVE-2017-7525 > > ------------------------------------ > > > > Key: KNOX-1145 > > URL: https://issues.apache.org/jira/browse/KNOX-1145 > > Project: Apache Knox > > Issue Type: Improvement > > Reporter: Colm O hEigeartaigh > > Assignee: Colm O hEigeartaigh > > Fix For: 1.0.0 > > > > Attachments: KNOX-1145.patch > > > > > > Apache Knox currently ships the Jackson databind jar version 2.2.2. > However, there is a security advisory CVE-2017-7525 released for this > component: > > https://github.com/FasterXML/jackson-databind/issues/1599 > > We should upgrade Jackson to pick this fix up. > > > > -- > This message was sent by Atlassian JIRA > (v6.4.14#64029) >