search

FasterXML / jackson-jaxrs-providers

Multi-module project that contains Jackson-based "old" JAX-RS (ones under `javax.ws.rs`) providers for JSON, XML, YAML, Smile, CBOR formats
Apache License 2.0
111 stars 78 forks source link

Publish 2.13.x version with woodstox:6.4.0 to fix CVEs #161

Closed adriil closed 1 year ago

adriil commented 1 year ago

Hi team,

Is there a plan to release a version with woodstox-core:6.4.0 in the 2.13.x line, similar to versions 2.13.4.1 and 2.13.4.2 published for jackson-databind ?

Thanks, Adrien

cowtowncoder commented 1 year ago

Eventually yes (2.13.5), but I don't think I have time to do micro-patch releases in near future. Instead I would recommend users to add explicit woodstox version overrides if they want to.

Also note, however, that the default configuration by XML provider is such that CVE is NOT APPLICABLE -- DTD handling is disabled.

adriil commented 1 year ago

Thank you very much for your quick answer, I didn’t know that the CVE doesn’t apply with default config. I‘ll check and if I finally need it I will override as suggested.

cowtowncoder commented 1 year ago

@adriil Yeah unfortunately a big portion of CVEs do not actually apply to many users -- so the whole cost of upgrades yields diminishing value. But then again figuring out if your system is affected is not trivial either; and maintaining overrides/exclusions for security scanners is work too.

cowtowncoder commented 1 year ago

I will close this, not because there won't be release but because there will eventually be -- I just need to get 2.14.0 completed first.