Magnolia 6.2.25 known issues
For Magnolia 6.2.25 only, we have upgraded to jackson-databind
2.13.4 so we are not vulnerable to CVE-2022-42004. However, Magnolia 6.2.25 still uses jackson-core
2.12.x and jackson-databind
2.13.4 calls some classes in jackson-core that are only available from
2.13.x. Though the upgrade improves security for Magnolia, you may encounter some runtime issues using jackson.
If you are experiencing issues after this update, try rolling back jackson-databind to version
18.104.22.168, which has been released in the meantime and as of October 25 (2022) has not been reported as vulnerable to any CVEs.
See Private BUILD-921 for more details.