[GHSA-2m67-wjpj-xhg9] Jackson Core: Document length constraint bypass in blocking, async, and DataInput parsers#7319
Conversation
|
Hi there @cowtowncoder! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
github-actions
bot
changed the base branch from
main
to
Adrian-Hirt/advisory-improvement-7319
There was a problem hiding this comment.
Pull request overview
Updates the GitHub-reviewed advisory for GHSA-2m67-wjpj-xhg9 (Jackson Core document length constraint bypass) to reflect fixed-version information for affected Maven coordinates.
Changes:
- Replaces
last_affectedwith afixedevent for the affected version range. - Adds
database_specific.last_known_affected_version_rangeto preserve the affected upper bound. - Updates the advisory
modifiedtimestamp.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| }, | ||
| { | ||
| "last_affected": "3.1.0" | ||
| "fixed": ">= 3.1.1" |
There was a problem hiding this comment.
ranges[].events[].fixed should be a single version (the first non-vulnerable release), not a constraint string. In this repo all other advisories use values like "fixed": "3.1.1" (without >=), so ">= 3.1.1" will likely break schema/consumers; keep the comparator logic in database_specific.last_known_affected_version_range if needed.
| "fixed": ">= 3.1.1" | |
| "fixed": "3.1.1" |
Updates
Comments
Fixed versions are available, see FasterXML/jackson-core#1570 (comment)