Re: [PR] Bump jackson.version from 2.15.2 to 2.15.3 [tika]
m1ch3lp3r3z commented on PR #1399: URL: https://github.com/apache/tika/pull/1399#issuecomment-1814577583 Thank you Tim!, I appreciate you taking a deeper look! we'll be in the look out for 2.9.2 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tika.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Bump jackson.version from 2.15.2 to 2.15.3 [tika]
tballison commented on PR #1399: URL: https://github.com/apache/tika/pull/1399#issuecomment-1812616823 I looked over the git logs around the 2.9.1 release, and I should have included this dependency bump _before_ cutting 2.9.1-rc1. I suspect I was not eager to bump the dependencies right before a release without more in depth testing. That said, I reviewed this "vulnerability" just now. I concur with the jackson developers and others on [this issue](https://github.com/FasterXML/jackson-databind/issues/3972#issuecomment-1596308216) that this is not a problem despite what security scanners complain about. I personally don't think this merits a new release. I have no doubt that other, actual vulnerabilities will be found in our dependencies which would trigger a 2.9.2 soon enough. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tika.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Bump jackson.version from 2.15.2 to 2.15.3 [tika]
m1ch3lp3r3z commented on PR #1399: URL: https://github.com/apache/tika/pull/1399#issuecomment-1809223008 Are we releasing this upgrade any time soon? We are using tika-server [2.9.1](https://archive.apache.org/dist/tika/2.9.1/), and it seems like that version still depends on `jackson` 2.15.2 which seems to have a [vulnerability](https://nvd.nist.gov/vuln/detail/CVE-2023-35116) fixed in 2.15.3 (this PR version). Thank you! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tika.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Bump jackson.version from 2.15.2 to 2.15.3 [tika]
tballison commented on PR #1399: URL: https://github.com/apache/tika/pull/1399#issuecomment-1761821120 Thank you for this, @solomax. We'll make the string length adjustable via: https://issues.apache.org/jira/browse/TIKA-4154 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tika.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Bump jackson.version from 2.15.2 to 2.15.3 [tika]
solomax commented on PR #1399: URL: https://github.com/apache/tika/pull/1399#issuecomment-1761032026 JFYI @THausherr @tballison According to this ticket https://issues.apache.org/jira/browse/AVRO-3754 2.15 can introduce some troubles -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tika.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
Re: [PR] Bump jackson.version from 2.15.2 to 2.15.3 [tika]
THausherr merged PR #1399: URL: https://github.com/apache/tika/pull/1399 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tika.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org