Expected release of SSM compatible with jackson 2.9.x

[a-t-u-l-k]

There are known security vulnerabilities with jackson 2.8.x. The latest release of SSM also uses 2.8.x of jackson. When can we expect a release of SSM which is compiled with Jackson 2.9.x?

I tried building SSM locally, but it has test failures on 2.9.4 onwards.

Though it worked fine with 2.9.3 and 2.9.1. Not sure if using an older version is fine?

[ragnor]

Thank you for information. Try to use the newest version of jackson from 2.8 branch (2.8.11.3) that has security fix.
I'm not sure when I release next version of SSM but I'll consider upgrading jackson to 2.9.

[a-t-u-l-k]

The jackson version which has fixes is 2.9.8, so, anything lower would not solve the problem. Regards, Atul Kumar

…

On Tue, Jan 8, 2019 at 3:45 PM Jakub ***@***.***> wrote: Thank you for information. Try to use the newest version of jackson from 2.8 branch (2.8.11.3) that has security fix. I'm not sure when I release next version of SSM but I'll consider upgrading jackson to 2.9. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#83 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ACcWYISLL9_v6sqB7XDvZF-XhsnMKi-_ks5vBG-mgaJpZM4Zoac-> .

[vrdn-23]

@ragnor
The vulnerability is documented here
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000873

[ragnor]

New version 4.1.2 has been with updated jackson has been released