ibm-cos-java-sdk-bundle 2.11.1 contains vulnerable jackson-databind 2.13.1

Question

klajok opened this issue 2 years ago · comments

The library jackson-databind version 2.13.1 is embedded in the latest version 2.11.1 of ibm-cos-java-sdk-bundle .

According to GHSA-57j2-w4cx-62h2 the above version of Jackson Databind is vulnerable.

Please prepare new release of COS Java SDK bundle with updated Jackson Databind library.

IBMeric · Answer 1 · Tue Mar 29 2022 22:31:53 GMT+0800 (China Standard Time)

Thanks for your report. We have an internal ticket to complete this work.

Harvey Bornstein · Answer 2 · Fri Apr 15 2022 06:17:45 GMT+0800 (China Standard Time)

Do you have an ETA when the new version will be available?

Harvey Bornstein · Answer 3 · Sat Apr 16 2022 20:30:04 GMT+0800 (China Standard Time)

Latest CVE requires update to 2.13.2.2. Hopefully this will be included. (I am with the the CP4D dev team)

avinash1IBM · Answer 4 · Mon Apr 18 2022 18:38:28 GMT+0800 (China Standard Time)

Thank for the update. This change will be included in the next release. Thanks

Harvey Bornstein · Answer 5 · Mon Apr 18 2022 21:27:19 GMT+0800 (China Standard Time)

Thanks Avinash - can you tell me when that is?

avinash1IBM · Answer 6 · Tue Apr 19 2022 13:32:09 GMT+0800 (China Standard Time)

Hello,
The next release will be in second quarter.
Thanks.

IBMeric · Answer 7 · Wed Apr 27 2022 04:37:58 GMT+0800 (China Standard Time)

@klajok @hbornstein747 We have released 2.11.2 to address this issue. Please verify and close this ticket.

Harvey Bornstein · Answer 8 · Fri Apr 29 2022 00:19:11 GMT+0800 (China Standard Time)

Thank you. I can verify the issue is resolved.

klajok · Answer 9 · Mon May 02 2022 16:30:50 GMT+0800 (China Standard Time)

Thank you.