When is jackson-databind 2.9.10.4 going to get released?
15 views
Skip to first unread message
Ali Haider
Apr 11, 2020, 2:55:48 PM4/11/20
to jackson-user
A lot of CVEs have gotten fixed in jackson-databind 2.9.10.4, for example, the followings:
* CVE-2019-16942
* CVE-2019-16943
* CVE-2019-17267
* CVE-2019-17531
Currently, we have to suppress these vulnerabilities otherwise our builds would fail.
Jackson-Release-2.9 micro patches list page shows the following:
"jackson-databind 2.9.10.4 (NOT YET RELEASED)"
Could we have any lead about when the jackson-databind 2.9.10.4 is going to get released?
Many thanks!
* CVE-2019-16942
* CVE-2019-16943
* CVE-2019-17267
* CVE-2019-17531
Currently, we have to suppress these vulnerabilities otherwise our builds would fail.
Jackson-Release-2.9 micro patches list page shows the following:
"jackson-databind 2.9.10.4 (NOT YET RELEASED)"
Could we have any lead about when the jackson-databind 2.9.10.4 is going to get released?
Many thanks!
Tatu Saloranta
Apr 11, 2020, 3:32:41 PM4/11/20
to jackson-user
Good timing. Release was continuously delayed by new cve reports for
polymorphic deserialization, but today I decided that since there were
no open reports at this point, it'd be good time to cut release. See
my announcement I just sent.
-+ Tatu +-
> --
> You received this message because you are subscribed to the Google Groups "jackson-user" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to jackson-user...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/53cb845d-fd41-4cd5-b82f-862c233d748b%40googlegroups.com.
polymorphic deserialization, but today I decided that since there were
no open reports at this point, it'd be good time to cut release. See
my announcement I just sent.
-+ Tatu +-
> You received this message because you are subscribed to the Google Groups "jackson-user" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to jackson-user...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/53cb845d-fd41-4cd5-b82f-862c233d748b%40googlegroups.com.
Ali Haider
Apr 11, 2020, 3:53:53 PM4/11/20
to jackson-user
Thank you so much! we have to stick to 2.9.10.4 for now. However, we will migrate to 2.11 soon.
On Sunday, 12 April 2020 00:32:41 UTC+5, Tatu Saloranta wrote:
Good timing. Release was continuously delayed by new cve reports for
polymorphic deserialization, but today I decided that since there were
no open reports at this point, it'd be good time to cut release. See
my announcement I just sent.
-+ Tatu +-
On Sat, Apr 11, 2020 at 11:55 AM Ali Haider <smali...@gmail.com> wrote:
>
> A lot of CVEs have gotten fixed in jackson-databind 2.9.10.4, for example, the followings:
>
> * CVE-2019-16942
> * CVE-2019-16943
> * CVE-2019-17267
> * CVE-2019-17531
>
> Currently, we have to suppress these vulnerabilities otherwise our builds would fail.
>
> Jackson-Release-2.9 micro patches list page shows the following:
>
> "jackson-databind 2.9.10.4 (NOT YET RELEASED)"
>
> Could we have any lead about when the jackson-databind 2.9.10.4 is going to get released?
>
> Many thanks!
>
> --
> You received this message because you are subscribed to the Google Groups "jackson-user" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to jackso...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages