Btw, why do we ship jackson anyway? We used to have Johnzon only. Jackson is imo not required. What was the reason we re-introduced it?
LieGrue, strub > Am 11.03.2020 um 11:26 schrieb dkwakkel <[email protected]>: > > > FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain > xbean-reflect/JNDI blocking, as demonstrated by > org.apache.xbean.propertyeditor.JndiConverter. > > 8.0.1 ships jackson-databind-2.10.0.jar and xbean-reflect-4.14.jar > > CVE score is 9.8, so can we expect soon TomEE 8.0.2 with this fix in it? > > > > -- > Sent from: http://tomee-openejb.979440.n4.nabble.com/TomEE-Dev-f982480.html
