Jackson 2.9.9 patch release available

[Tatu Saloranta]

So, Jackson 2.9.9 is now out (with jackson-module-scala 2.9.9 to be
released soon), with following fixes:

https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.9

Of more than 20 fixes, one is for a security vulnerability (just one
more gadget type for polymorphic deser), so upgrade is strongly
recommended.

After this release the main focus will be on getting 2.10.0.pr1 out as
soon as possible -- ideally before end of May 2019, but at least
during early June.

As to 2.10, while there are lots of smaller changes, fixes (see
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.10), there
are 2 important things for which pre-release candidate is needed in
particular:

1. Java 9+ compatible module info is being added, so Jackson 2.10 and
beyond should (eventually) work well with new JDK Module system, even
without yet requiring use of Java 9 and beyond
2. Pluggable allow-listing approach to class validation for
polymorphic deserialization:
https://github.com/FasterXML/jackson-databind/issues/2195
which allows fully solving the main source of security
vulnerabilities via Default Typing.

-+ Tatu +-

[Алексей Рединский]

If we are not using JDK11 module system, is Jackson 2.9.9 JDK11 compatible? In a sense of byte code, not using sun internal classes, not using removed API and so on.

[Tatu Saloranta]

On Tue, May 21, 2019 at 3:48 PM Алексей Рединский <aredi...@gmail.com> wrote:
>
> If we are not using JDK11 module system, is Jackson 2.9.9 JDK11 compatible? In a sense of byte code, not using sun internal classes, not using removed API and so on.

Yes, it should be similarly compatible as previous 2.9.x versions, and
does include minimal support in form of Automatic-Module-Name.

2.10.0 will add full module definitions (but will not require use of
JDK 9 or later -- JDK 6 runtime is enough, JDK 8 to build).

-+ Tatu +-

>
> On Thursday, May 16, 2019 at 3:51:23 PM UTC-7, Tatu Saloranta wrote:
>>
>> So, Jackson 2.9.9 is now out (with jackson-module-scala 2.9.9 to be
>> released soon), with following fixes:
>>
>> https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.9
>>
>> Of more than 20 fixes, one is for a security vulnerability (just one
>> more gadget type for polymorphic deser), so upgrade is strongly
>> recommended.
>>
>> After this release the main focus will be on getting 2.10.0.pr1 out as
>> soon as possible -- ideally before end of May 2019, but at least
>> during early June.
>>
>> As to 2.10, while there are lots of smaller changes, fixes (see
>> https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.10), there
>> are 2 important things for which pre-release candidate is needed in
>> particular:
>>
>> 1. Java 9+ compatible module info is being added, so Jackson 2.10 and
>> beyond should (eventually) work well with new JDK Module system, even
>> without yet requiring use of Java 9 and beyond
>> 2. Pluggable allow-listing approach to class validation for
>> polymorphic deserialization:
>> https://github.com/FasterXML/jackson-databind/issues/2195
>> which allows fully solving the main source of security
>> vulnerabilities via Default Typing.
>>
>> -+ Tatu +-
>

> --
> You received this message because you are subscribed to the Google Groups "jackson-user" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to jackson-user...@googlegroups.com.
> To post to this group, send email to jackso...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/244b67aa-f019-41ec-a481-a27fa7c4f86b%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.