Closed MrManz closed 4 years ago
pivotal-issuemaster
commented
4 years ago @MrManz Please sign the Contributor License Agreement!
Click here to manually synchronize the status of this Pull Request.
See the FAQ for frequently asked questions.
pivotal-issuemaster
commented
4 years ago @MrManz Thank you for signing the Contributor License Agreement!
franzbecker
commented
4 years ago This patch would be very helpful. I was wondering why Jackson is bundled into this JAR: https://github.com/spring-cloud/spring-cloud-connectors/blob/0ebd0c419081fb14f4e416ddc2239a3f065942b7/spring-cloud-cloudfoundry-connector/build.gradle#L26
That makes it really hard to patch it should any security vulnerabilities occur (which happened frequently in recent weeks).
scottfrederick
commented
4 years ago I was wondering why Jackson is bundled into this JAR
@franzbecker The short answer is "for historical reasons". This lib was built many years ago and designed to support multiple versions of Spring Framework and Spring Data libs, which might also depend on specific versions of Jackson. The safest thing to do was to shadow Jackson into Connectors.
As noted in the README, this project is now in maintenance mode. Only critical bugs and CVEs will be addressed going forward, which unfortunately is likely to be mostly comprised of Jackson updates.
That makes it really hard to patch it should any security vulnerabilities occur (which happened frequently in recent weeks).
The best way to avoid being affected by these vulnerabilities it to stop using the Connectors lib and use Java CFEnv instead.
Update of jackson databind to version 2.10.0 which fixes several CVEs (https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.10)