[
https://issues.apache.org/jira/browse/FLINK-40071?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Purushottam Sinha updated FLINK-40071:
--------------------------------------
Description:
Description:
jackson-databind 2.21.3 is affected by several recently published CVEs
(CVE-2026-54512 through 54518). 2.21.4 fixes all of them except
CVE-2026-54515, which has no released fix in any 2.x line yet.
Bump jackson-bom.version 2.21.3 -> 2.21.4 and update the NOTICE files of
modules bundling jackson.
Fixed by 2.21.4:
- CVE-2026-54512 (High)
- CVE-2026-54513 (High)
- CVE-2026-54514 (Medium)
- CVE-2026-54516 (Medium)
- CVE-2026-54517 (Medium)
- CVE-2026-54518 (Medium)
*NOTE: We will update the change when the next version in about to be released
with the latest version at that time.*
was:
Description:
jackson-databind 2.21.3 is affected by several recently published CVEs
(CVE-2026-54512 through 54518). 2.21.4 fixes all of them except
CVE-2026-54515, which has no released fix in any 2.x line yet.
Bump jackson-bom.version 2.21.3 -> 2.21.4 and update the NOTICE files of
modules bundling jackson.
Fixed by 2.21.4:
- CVE-2026-54512 (High)
- CVE-2026-54513 (High)
- CVE-2026-54514 (Medium)
- CVE-2026-54516 (Medium)
- CVE-2026-54517 (Medium)
- CVE-2026-54518 (Medium)
*NOTE: We will update the change when the next version in about to be released
with the latest version at that time. *
> Bump jackson-bom to 2.21.4+
> ---------------------------
>
> Key: FLINK-40071
> URL: https://issues.apache.org/jira/browse/FLINK-40071
> Project: Flink
> Issue Type: Technical Debt
> Components: Build System
> Reporter: Purushottam Sinha
> Priority: Minor
> Labels: pull-request-available
>
> Description:
>
>
>
>
>
> jackson-databind 2.21.3 is affected by several recently published CVEs
>
>
> (CVE-2026-54512 through 54518). 2.21.4 fixes all of them except
>
>
> CVE-2026-54515, which has no released fix in any 2.x line yet.
>
>
>
>
>
> Bump jackson-bom.version 2.21.3 -> 2.21.4 and update the NOTICE files of
>
>
> modules bundling jackson.
> Fixed by 2.21.4:
>
>
> - CVE-2026-54512 (High)
>
>
> - CVE-2026-54513 (High)
>
>
> - CVE-2026-54514 (Medium)
>
>
> - CVE-2026-54516 (Medium)
>
>
> - CVE-2026-54517 (Medium)
>
>
> - CVE-2026-54518 (Medium)
> *NOTE: We will update the change when the next version in about to be
> released with the latest version at that time.*
>
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
