update 2.13.x release with com.fasterxml.woodstox:woodstox-core:6.4.0

FasterXML / jackson-dataformat-xml

Extension for Jackson JSON processor that adds support for serializing POJOs as XML (and deserializing from XML) as an alternative to JSON

Apache License 2.0

567 stars 221 forks source link

update 2.13.x release with com.fasterxml.woodstox:woodstox-core:6.4.0 #552

Closed rlsf closed 1 year ago

rlsf commented 1 year ago

com.fasterxml.woodstox:woodstox-core:6.3.1 is marked as vulnerable by this CVE: https://nvd.nist.gov/vuln/detail/CVE-2022-40153 i noticed master branch already points to 6.4.0, is it possible to merge this change to 2.13 branch and release a fix for this CVE as 2.14 is still in the works.

cowtowncoder commented 1 year ago

Yes, that's reasonable.

rlsf commented 1 year ago

@cowtowncoder thanks, i saw you updated the branch here: https://github.com/FasterXML/jackson-dataformat-xml/commit/ecebf4dbc3ce70c300c066aa29cb1003b465b331 is it possible to release a patch version (2.13.5 ?) with this fix?

cowtowncoder commented 1 year ago

@rlsf Eventually yes. But it takes me half a day of "spare" time to do a full release so I won't be doing that for just a single dependency version update. But when 2.13.5 is ready (a few other fixes, been 2-4 months since 2.13.4), yes. So basically I have to prioritize my limited OSS development time here.

2.14.0 will be released within a week now.