From 4ae8f6d9c9f381f01be94348d8167bafff886d11 Mon Sep 17 00:00:00 2001
From: Les Hazlewood <121180+lhazlewood@users.noreply.github.com>
Date: Thu, 11 Jul 2019 16:05:52 -0400
Subject: [PATCH] Issue 461: upgraded Jackson version to 2.9.9.1. Fixes #461.

---
 CHANGELOG.md | 6 ++++++
 pom.xml      | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f96310ee..31c9331d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,12 @@
 This patch release fixes a [memory leak](https://github.com/jwtk/jjwt/issues/392) found in the DEFLATE compression 
 codec implementation.
 
+It also updates the Jackson dependency version to [2.9.9.1](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9#patches)
+to address three security vulnerabilities in Jackson:
+[CVE-2019-12086](https://nvd.nist.gov/vuln/detail/CVE-2019-12086),
+[CVE-2019-12384](https://nvd.nist.gov/vuln/detail/CVE-2019-12384), and
+[CVE-2019-12814](https://nvd.nist.gov/vuln/detail/CVE-2019-12814).
+
 ### 0.10.6
 
 This patch release updates the jackson-databind version to 2.9.8 to address a critical security vulnerability in that
diff --git a/pom.xml b/pom.xml
index 691f0743..88dc6a7c 100644
--- a/pom.xml
+++ b/pom.xml
@@ -88,7 +88,7 @@
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <buildNumber>${user.name}-${maven.build.timestamp}</buildNumber>
 
-        <jackson.version>2.9.8</jackson.version>
+        <jackson.version>2.9.9.1</jackson.version>
         <orgjson.version>20180130</orgjson.version>
 
         <!-- Optional Runtime Dependencies: -->