Jackson 2.9.10.6 micro-patch (via jackson-bom 2.9.10.20200824) released -- 4 CVEs
19 views
Skip to first unread message
Tatu Saloranta
Aug 24, 2020, 6:52:45 PM8/24/20
to jackson-announce, jackson-user
Jackson-databind 2.9.10.6 micro-patch (via jackson-bom
2.9.10.20200824) was just released, with 4 polymorphic deserialization
cve fixes (none of which is likely to affect anyone, 2 obscure
libraries, 2 other extremely obscure -- but since they were reported
appropriately blocked for abundance of precaution).
See release notes here:
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9
At this point the plan for 2.9 branch is to be fully closed by end of 2020.
In addition the criteria for including further blocks for polymorphic
types will be
tightened further after September 1, 2020 so that only libraries that
are referenced by at least 10 other public projects (as per
https://mvnrepository.com/) qualify for inclusion
(or, in rare case, class found in JDK or Android SDK).
This change is to reduce toil of release new versions that address
theoretical issues exposed by obscure third party libraries (the new micro-patch
has 2 such blocks).
Since there is already 2.11.0 available (and 2.10 and
2.11 both add features to fully block these attacks), we strongly recommend
downstream projects to start migrating away from versions 2.9 and older,
especially if you do use polymorphic deserialization as described on
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
Upgrade to 2.10.5 at least is recommended in general too, but is
especially useful to make vuln scan tools happy. :)
-+ Tatu +-
2.9.10.20200824) was just released, with 4 polymorphic deserialization
cve fixes (none of which is likely to affect anyone, 2 obscure
libraries, 2 other extremely obscure -- but since they were reported
appropriately blocked for abundance of precaution).
See release notes here:
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9
At this point the plan for 2.9 branch is to be fully closed by end of 2020.
In addition the criteria for including further blocks for polymorphic
types will be
tightened further after September 1, 2020 so that only libraries that
are referenced by at least 10 other public projects (as per
https://mvnrepository.com/) qualify for inclusion
(or, in rare case, class found in JDK or Android SDK).
This change is to reduce toil of release new versions that address
theoretical issues exposed by obscure third party libraries (the new micro-patch
has 2 such blocks).
Since there is already 2.11.0 available (and 2.10 and
2.11 both add features to fully block these attacks), we strongly recommend
downstream projects to start migrating away from versions 2.9 and older,
especially if you do use polymorphic deserialization as described on
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
Upgrade to 2.10.5 at least is recommended in general too, but is
especially useful to make vuln scan tools happy. :)
-+ Tatu +-
Reply all
Reply to author
Forward
0 new messages