Jackson 2.9.10 patch release available
22 views
Skip to first unread message
Tatu Saloranta
Sep 21, 2019, 9:33:55 PM9/21/19
to jackson-user, jackson-announce
Jackson 2.9.10 is now out (with jackson-module-scala 2.9.9 to be
released soon) and includes following fixes:
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.10
most of which are polymorphic deserialization related CVEs (see
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
for background).
Upgrade is recommended from earlier 2.9.x patch releases since many
security tools will flag earlier versions as having vulnerabilities:
otherwise number of fixes is low.
This will very likely be the last full 2.9.x release; it is possible
that micro-patch releases (2.9.10.1, 2.9.10.2 etc) may be made in
future for `jackson-databind` and other components for critical fixes.
But the focus otherwise is to get 2.10.0 released: hope is to get that
release out within next 10 days, before end of September 2019.
-+ Tatu +-
released soon) and includes following fixes:
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.10
most of which are polymorphic deserialization related CVEs (see
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
for background).
Upgrade is recommended from earlier 2.9.x patch releases since many
security tools will flag earlier versions as having vulnerabilities:
otherwise number of fixes is low.
This will very likely be the last full 2.9.x release; it is possible
that micro-patch releases (2.9.10.1, 2.9.10.2 etc) may be made in
future for `jackson-databind` and other components for critical fixes.
But the focus otherwise is to get 2.10.0 released: hope is to get that
release out within next 10 days, before end of September 2019.
-+ Tatu +-
Reply all
Reply to author
Forward
0 new messages