Magnolia 6.2.25 known issues
Possible runtime issues using jackson (6.2.25 only)
For Magnolia 6.2.25 only, we have upgraded to jackson-databind 2.13.4
so we are not vulnerable to CVE-2022-42004. However, Magnolia 6.2.25 still uses jackson-core 2.12.x
and jackson-databind 2.13.4
calls some classes in jackson-core that are only available from 2.13.x
. Though the upgrade improves security for Magnolia, you may encounter some runtime issues using jackson.
Workaround
If you are experiencing issues after this update, try rolling back jackson-databind to version 2.12.7.1
, which has been released in the meantime and as of October 25 (2022) has not been reported as vulnerable to any CVEs.
See Private BUILD-921 for more details.