Release resolving CVE-2020-36518

[pavulonx]

Latest version (7.0.1) depends on Jacskon 2.13.0 which contains high severity vulnerability: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36518. Is it possible to release new version with this issue fixed?

[brenuart]

The issue described by the CVE manifests itself when deserialising JSON into a Java POJO. Logstash-logback-encoder does just the opposite and is therefore not affected by the issue.

We will upgrade Jackson to the latest version in the next upcoming release. In the meantime, you can safely force a newer version of Jackson in your project by adding the following in your Maven pom:

    <dependencyManagement>
        <dependencies>
            <dependency>
                <groupId>com.fasterxml.jackson</groupId>
                <artifactId>jackson-bom</artifactId>
                <version>2.13.2.2</version>
                <type>pom</type>
                <scope>import</scope>
            </dependency>
        </dependencies>
    </dependencyManagement>