On behalf of the RabbitMQ team I'm happy to announce that the RabbitMQ
Java Client library 4.11.3 is available.
This patch bumps an optional dependency to address a vulnerability
[1]. If you don't use Jackson in the Java client JSON RPC support,
you're not affected by this vulnerability. Consult the release changes
for more details [2].
All users of the 4.x.x and 3.6.x series are encouraged to upgrade to 4.11.3.
Changes:
* Bump Jackson to 2.9.9.1
Dependency (Maven artifact)
Maven:
<dependency>
<groupId>com.rabbitmq</groupId>
<artifactId>amqp-client</artifactId>
<version>4.11.3</version>
</dependency>
Gradle:
compile 'com.rabbitmq:amqp-client:4.11.3'
[1]
https://nvd.nist.gov/vuln/detail/CVE-2019-12814
[2]
https://github.com/rabbitmq/rabbitmq-java-client/releases/tag/v4.11.3