[
https://issues.apache.org/jira/browse/BEAM-7881?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16934747#comment-16934747
]
Romain Manni-Bucau commented on BEAM-7881:
------------------------------------------
Up, the lack of careness of security by jackson is a real concern which should
be addressed IMHO.
Any hope to get it fixed soon?
> Get rid of jackson to avoid the continuous flow of CVEs in Jackson
> ------------------------------------------------------------------
>
> Key: BEAM-7881
> URL: https://issues.apache.org/jira/browse/BEAM-7881
> Project: Beam
> Issue Type: Task
> Components: sdk-java-core
> Affects Versions: 2.14.0
> Reporter: Romain Manni-Bucau
> Priority: Blocker
>
> Jackson keeps having CVE on all releases of databind and transitively beam
> sdk java core has CVE on all its releases (for the record, when writing this
> issue you must use at least jackson-databind 2.9.9.2 but last week it was
> 2.9.9.1 and 2.14 didn't get the fix).
> Can be neat to get rid of jackson which does not fix this issue for a very
> long time now and just use JSON-B or another JSON impl to ensure the CVE is
> not usable because beam is there.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
