Hi, I think the explanation is here http://tomee-openejb.979440.n4.nabble.com/Why-jackson-and-jonhzon-shipped-with-latest-TomEE-td4689451.html
Best, Richard Am Freitag, den 13.03.2020, 14:19 +0100 schrieb Alex The Rocker: > Hello, > > I fully agree with Mark's remark : why would TomEE ever need jackson > nice it has johnzon? > Duplicating JSON-P implementations should like a bad idea... > > Kind regards, > Alexandre > > Le ven. 13 mars 2020 à 12:29, Mark Struberg > <[email protected]> a écrit : > > > > Btw, why do we ship jackson anyway? > > We used to have Johnzon only. Jackson is imo not required. > > What was the reason we re-introduced it? > > > > > > LieGrue, > > strub > > > > > Am 11.03.2020 um 11:26 schrieb dkwakkel <[email protected]>: > > > > > > > > > FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain > > > xbean-reflect/JNDI blocking, as demonstrated by > > > org.apache.xbean.propertyeditor.JndiConverter. > > > > > > 8.0.1 ships jackson-databind-2.10.0.jar and xbean-reflect- > > > 4.14.jar > > > > > > CVE score is 9.8, so can we expect soon TomEE 8.0.2 with this fix > > > in it? > > > > > > > > > > > > -- > > > Sent from: > > > http://tomee-openejb.979440.n4.nabble.com/TomEE-Dev-f982480.html
