Good timing. Release was continuously delayed by new cve reports for polymorphic deserialization, but today I decided that since there were no open reports at this point, it'd be good time to cut release. See my announcement I just sent.
-+ Tatu +- On Sat, Apr 11, 2020 at 11:55 AM Ali Haider <[email protected]> wrote: > > A lot of CVEs have gotten fixed in jackson-databind 2.9.10.4, for example, > the followings: > > * CVE-2019-16942 > * CVE-2019-16943 > * CVE-2019-17267 > * CVE-2019-17531 > > Currently, we have to suppress these vulnerabilities otherwise our builds > would fail. > > Jackson-Release-2.9 micro patches list page shows the following: > > "jackson-databind 2.9.10.4 (NOT YET RELEASED)" > > Could we have any lead about when the jackson-databind 2.9.10.4 is going to > get released? > > Many thanks! > > -- > You received this message because you are subscribed to the Google Groups > "jackson-user" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jackson-user/53cb845d-fd41-4cd5-b82f-862c233d748b%40googlegroups.com. -- You received this message because you are subscribed to the Google Groups "jackson-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/CAL4a10ghkbpuF%2Bef2TmTEE2rJcYNfOiEUbFT-HA6R3DMLH-sWA%40mail.gmail.com.
