`jackson-databind` 2.9.9.1 micro-patch released for 2 CVEs

22 views
Skip to first unread message

Tatu Saloranta

unread,
Jul 3, 2019, 10:42:35 AM7/3/19
to jackson-user, jacks...@googlegroups.com, jackson-announce
As per title, `2.9.9.1` of `jackson-databind` was released (ahead of
full `2.9.10` that will take longer), and contains fixes to 2 CVEs (of
polymorphic deser variety, see
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062).

This is to be used with version 2.9.9 of other components.

-+ Tatu +-

Mark Derricutt

unread,
Aug 4, 2019, 9:36:16 PM8/4/19
to jacks...@googlegroups.com

On 4 Jul 2019, at 2:42, Tatu Saloranta wrote:

As per title, `2.9.9.1` of `jackson-databind` was released (ahead of
full `2.9.10` that will take longer), and contains fixes to 2 CVEs (of
polymorphic deser variety, see

Tatu,

I don't see an announcement of 2.9.9.2 of jackson-databind in the forum, but I noticed when I resolved against it, I found an issue relating to the jdk8 module.

I've pushed a test project to https://github.com/talios/broken-jackson-databind

When I drop the jackson databank down to 2.9.9.1 - both tests pass. With 2.9.9.2 only the test not using the Jdk8 module works.

Hopefully this is a simple issue and a 2.9.9.3 can be rolled before 2.9.10?

Cheers
Mark

"The ease with which a change can be implemented has no relevance at all to whether it is the right change for the (Java) Platform for all time." — Mark Reinhold.

Mark Derricutt
http://www.theoryinpractice.net
http://www.chaliceofblood.net
http://plus.google.com/+MarkDerricutt
http://twitter.com/talios
http://facebook.com/mderricutt

signature.asc

Tatu Saloranta

unread,
Aug 6, 2019, 3:54:18 PM8/6/19
to jacks...@googlegroups.com
On Sun, Aug 4, 2019 at 6:36 PM Mark Derricutt <ma...@talios.com> wrote:
>
> On 4 Jul 2019, at 2:42, Tatu Saloranta wrote:
>
> As per title, `2.9.9.1` of `jackson-databind` was released (ahead of
> full `2.9.10` that will take longer), and contains fixes to 2 CVEs (of
> polymorphic deser variety, see
>
> Tatu,
>
> I don't see an announcement of 2.9.9.2 of jackson-databind in the forum, but I noticed when I resolved against it, I found an issue relating to the jdk8 module.
>
> I've pushed a test project to https://github.com/talios/broken-jackson-databind
>
> When I drop the jackson databank down to 2.9.9.1 - both tests pass. With 2.9.9.2 only the test not using the Jdk8 module works.
>
> Hopefully this is a simple issue and a 2.9.9.3 can be rolled before 2.9.10?

Yes, this unfortunate regression was reported for 2.9.9.2, fixed in
2.9.9.3 and will be in 2.9.10 as well. Another minor glitch is that
the first `jackson-bom` I released after 2.9.9.3 did not update
reference, so there's another one that should be used:

http://repo1.maven.org/maven2/com/fasterxml/jackson/jackson-bom/2.9.9.20190807/

-+ Tatu +-
Reply all
Reply to author
Forward
0 new messages