spuru9 opened a new pull request, #28637:
URL: https://github.com/apache/flink/pull/28637
## What is the purpose of the change
jackson-databind 2.21.3 is affected by several recently published CVEs
(CVE-2026-54512 through 54518). Bumping jackson-bom to 2.21.4 fixes all of them
except CVE-2026-54515, which has no released fix in any jackson 2.x line yet
(its announced fix versions 2.21.5/2.22.1 are unreleased, and 2.22.0 is also
affected) — that one needs a follow-up once upstream ships.
## Brief change log
- `jackson-bom.version` 2.21.3 → 2.21.4 in the root pom
- Updated the NOTICE files of the 11 modules bundling non-shaded jackson
(jackson-annotations stays at 2.21, matching the bom)
## Verifying this change
This change is a dependency version bump without code changes. All affected
bundling modules build cleanly, and the bundled jackson-databind version inside
the shaded jars (flink-sql-avro, flink-kubernetes, flink-python,
flink-s3-fs-hadoop) was verified to be 2.21.4.
## Does this pull request potentially affect one of the following parts:
- Dependencies (does it add or upgrade a dependency): (yes — jackson
2.21.3 → 2.21.4, patch release)
- The public API, i.e., is any changed class annotated with
`@Public(Evolving)`: (no)
- The serializers: (no)
- The runtime per-record code paths (performance sensitive): (no)
- Anything that affects deployment or recovery: JobManager (and its
components), Checkpointing, Kubernetes/Yarn, ZooKeeper: (no)
- The S3 file system connector: (no)
## Documentation
- Does this pull request introduce a new feature? (no)
- If yes, how is the feature documented? (not applicable)
---
##### Was generative AI tooling used to co-author this PR?
- [X] Yes: Claude Code
Generated-by: Claude Code (claude-fable-5)
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]