Hello, I fully agree with Mark's remark : why would TomEE ever need jackson nice it has johnzon? Duplicating JSON-P implementations should like a bad idea...
Kind regards, Alexandre Le ven. 13 mars 2020 à 12:29, Mark Struberg <[email protected]> a écrit : > > Btw, why do we ship jackson anyway? > We used to have Johnzon only. Jackson is imo not required. > What was the reason we re-introduced it? > > > LieGrue, > strub > > > Am 11.03.2020 um 11:26 schrieb dkwakkel <[email protected]>: > > > > > > FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain > > xbean-reflect/JNDI blocking, as demonstrated by > > org.apache.xbean.propertyeditor.JndiConverter. > > > > 8.0.1 ships jackson-databind-2.10.0.jar and xbean-reflect-4.14.jar > > > > CVE score is 9.8, so can we expect soon TomEE 8.0.2 with this fix in it? > > > > > > > > -- > > Sent from: http://tomee-openejb.979440.n4.nabble.com/TomEE-Dev-f982480.html >
