On Wed, Jan 30, 2019 at 10:20 PM Laird Nelson <[email protected]> wrote: > > In fairness to the original poster, some of us at certain maybe mutual large > corporations might be subject to their inflexible mysterious tone deaf > baffling legal-department-instigated restrictions and wish very strongly we > could change them, but we know better, so we might ask the questions we are > required to ask, while cringing inside, and hoping we aren’t judged too > harshly by those who can plainly view all the absurdities. I speak > hypothetically of course.
I concur, that is a fair point. I did not mean to criticize OP for absurdities/challenges of "Big Vulnerability" + Enterprise software business, and can relate to challenges of having to prove that certain version is safe, despite sec-software vendor's tools claiming otherwise. So my annoyance is definitely with the end result where tools are guilty until somehow proven otherwise. -+ Tatu +- > > Best, > Laird > > On Wed, Jan 30, 2019 at 5:09 PM Tatu Saloranta <[email protected]> wrote: >> >> On Wed, Jan 30, 2019 at 3:19 PM Penny Wells <[email protected]> >> wrote: >> > >> > We use jackson-databind 2.9.7 but cannot upgrade to 2.9.8 due to the >> > CVE-2018-19362. >> > I do see a bugfix applied into github for 2.9.8 but can't be sure as the >> > CVE does not have this information. >> > Can someon confirm for us that this CVE (CVE-2018-19362) is fixed in the >> > latest jackson-databind 2.9.8 ? >> > thanks, Penny, Oracle Corp. >> >> I am bit hurt by your distrust of actual developers' information, as >> opposed to some CVE tracker somewhere that has little idea of what >> goes into which release :-o >> >> But, yes, fix to that CVE is in 2.9.8, as per official Release Notes: >> >> https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8 >> >> and linked to Github issue >> >> https://github.com/FasterXML/jackson-databind/issues/2186 >> >> which are canonical definitions of where fixes go. >> >> -+ Tatu +- >> >> ps. Pox on security scan tools and their makers who make money by >> essential spreading FUD and misinformation. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "jackson-user" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To post to this group, send email to [email protected]. >> For more options, visit https://groups.google.com/d/optout. > > -- > You received this message because you are subscribed to the Google Groups > "jackson-user" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "jackson-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. For more options, visit https://groups.google.com/d/optout.
