On Thu, Jan 31, 2019 at 3:25 PM Penny Wells <[email protected]> wrote: > > Thank you for confirming the CVE fix, we read the documentation as well but > we are being scrutinized to confirm at various levels due to repeated > security alerts against this library. I am thinking that confirmation from > the immediate community (especially such proud contributors) will defend my > stand with this library (I am the gatekeeper with the usage of external > libraries for a large chunk of enterprise products).
Ok, fair enough. Also: if you (or anyone else) are interested in knowing even more about Jackson security-related work, changes, there is gated group `jackson-dev-infosec`: https://groups.google.com/forum/#!forum/jackson-dev-infosec in which we talk about reports, work, releases. It can help in coordinating upgrades as wel. > I have another driving question I am being asked about the Jackson 2.9.8 Java > 8 Support. Java 8 will not be uptaken for a big chunk of our Enterprise Java > products out there in my lifetime (and I am relatively young), and, we own > Java too.. go figure. Ok, so, current thinking is that Jackson 2.x will remain pre-Java 8, such that it should be possible to run everything on Java 6, and compile with JDK 7 (*). Jackson 2.10 at very least will not require Java 8. Jackson 3.x will move baseline to Java 8 (at least -- we'll see how things evolve, no current plans to require anything beyond) Does this answer your question? -+ Tatu +- (*) there are some issues which may mean that from release side, build+release may need to be done with JDK 8, but that's different discussion. > Penny W. > > On Wednesday, January 30, 2019 at 3:19:06 PM UTC-8, Penny Wells wrote: >> >> We use jackson-databind 2.9.7 but cannot upgrade to 2.9.8 due to the >> CVE-2018-19362. >> I do see a bugfix applied into github for 2.9.8 but can't be sure as the CVE >> does not have this information. >> Can someon confirm for us that this CVE (CVE-2018-19362) is fixed in the >> latest jackson-databind 2.9.8 ? >> thanks, Penny, Oracle Corp. > > -- > You received this message because you are subscribed to the Google Groups > "jackson-user" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "jackson-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. For more options, visit https://groups.google.com/d/optout.
