Thank you for confirming the CVE fix, we read the documentation as well but we are being scrutinized to confirm at various levels due to repeated security alerts against this library. I am thinking that confirmation from the immediate community (especially such proud contributors) will defend my stand with this library (I am the gatekeeper with the usage of external libraries for a large chunk of enterprise products).
I have another driving question I am being asked about the Jackson* 2.9.8 Java 8 Support*. Java 8 will not be uptaken for a big chunk of our Enterprise Java products out there in my lifetime (and I am relatively young), and, we own Java too.. go figure. Penny W. On Wednesday, January 30, 2019 at 3:19:06 PM UTC-8, Penny Wells wrote: > > We use jackson-databind 2.9.7 but cannot upgrade to 2.9.8 due to the > *CVE-2018-19362.* > *I do see a bugfix applied into github for 2.9.8 but can't be sure as the > CVE does not have this information.* > *Can someon confirm for us that this CVE (* > *CVE-2018-19362) is fixed in the latest jackson-databind 2.9.8 ?* > > *thanks, Penny, Oracle Corp.* > -- You received this message because you are subscribed to the Google Groups "jackson-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. For more options, visit https://groups.google.com/d/optout.
