[Bug]: jackson-databind version upgrade to remediate security vulnerabilities

Question

[Bug]: jackson-databind version upgrade to remediate security vulnerabilities

ZachChuba opened this issue a year ago · 3 comments

ZachChuba commented a year ago

Module

Core

Testcontainers version

1.20.3

Using the latest Testcontainers version?

Yes

Host OS

Osx

Host Arch

amd64

Docker version

docker version
Client:
 Version:           26.1.4
 API version:       1.45
 Go version:        go1.21.11
 Git commit:        5650f9b
 Built:             Wed Jun  5 11:26:02 2024
 OS/Arch:           darwin/arm64
 Context:           desktop-linux

Server: Docker Desktop 4.31.0 (153195)
 Engine:
  Version:          26.1.4
  API version:      1.45 (minimum version 1.24)
  Go version:       go1.21.11
  Git commit:       de5c9cf
  Built:            Wed Jun  5 11:29:12 2024
  OS/Arch:          linux/arm64
  Experimental:     false
 containerd:
  Version:          1.6.33
  GitCommit:        d2d58213f83a351ca8f528a95fbd145f5654e957
 runc:
  Version:          1.1.12
  GitCommit:        v1.1.12-0-g51d5e94
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

What happened?

jackson-databind is vulnerable to CVE-2017-7525 which is patched with version 2.8.9 FasterXML/jackson-databind#1599. Please upgrade to version 2.8.9 in the next release. Enterprises may blacklist test-containers due to the presence of this vulnerability. Also note issue: #9289 should be addressed in the next major release as well.

Relevant log output

Additional Information

No response

Answer 1 · 2024-11-18T21:53:23.000Z

Hey can i do this