Aws-sdk-java: Request to update jackson version to avoid Jackson Deserializer security vulnerability

Created on 11 May 2017  路  3Comments  路  Source: aws/aws-sdk-java

Please look at https://github.com/FasterXML/jackson-databind/issues/1599 and the fix has been e.g. included in 2.7.9.1 release. Not sure if security issue happen with the functionalities AWS SDK provides. But AWS SDK client apps that depend on Jackson could want to use the new version(they might use version 2.6.6 come from AWS SDK).

guidance
Source
picture DaichiUeura

Most helpful comment

We have to maintain backwards compatibility with Java 6 and thus we can't upgrade to Jackson 2.7+. Customers running on JDK 7+ can safely switch out to use Jackson 2.7+.

picture spfink on 11 May 2017
👍2

All 3 comments

We have to maintain backwards compatibility with Java 6 and thus we can't upgrade to Jackson 2.7+. Customers running on JDK 7+ can safely switch out to use Jackson 2.7+.

spfink picture spfink on 11 May 2017
👍2

FYI in the original issue's thread @cowtowncoder mentioned that jackson-databind v2.6.7.1 has been released to target it for Jackson's v2.6.* users

skrzyneckik picture skrzyneckik on 16 May 2018

@skrzyneckik, not sure if that was a request or just a statement, but we do already depend on 2.6.7.1

spfink picture spfink on 16 May 2018
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

neil-rubens picture neil-rubens  路  5Comments
umangs9 picture umangs9  路  3Comments
Yeggstry picture Yeggstry  路  3Comments
martinth picture martinth  路  4Comments
pgoranss picture pgoranss  路  5Comments