Bugfixes

Incident number
Summary (problem description)
Resolution
PUB-192Fix CVE-2016-10036False positive CVE. The CVE is not Applicable for the Artifactory-client library's Blueriq uses.
PUB-193Fix CVE-2019-12086The Jackson dependencies have been upgraded to version 2.9.9, which doesn't contain the vulnerability.
PUB-195

Fix CVEs: 

CVE-2019-10321
CVE-2019-10322
CVE-2019-10323
CVE-2019-10324

False positives, The CVE is not Applicable for the Artifactory-client library's Blueriq uses.
PUB-196

Fix CVEs :

CVE-2019-11269

CVE-2019-12814

CVE-2019-11269 - Fixed by upgrading to sprint security oauth to 2.3.6. 

CVE-2019-12814 - is a false positive , jackson databind is not used in such a way that the usage of the library is dangerous. 

BQ-7895Timestamps in Publisher logs are wrong, mixing minutes with monthsThe problem is now fixed.

Upgrade Instructions

There are no specific upgrade instructions but when you upgrade from version 4.x, please take a look at the Platform support and Installing Publisher 5 due to the upgrade to Java 11.

3rd Party Libraries

There is also a page available which lists all the 3rd party libraries that are used in the Publisher. See for more information: Blueriq Publisher 5 libraries.