Thank you so much! we have to stick to 2.9.10.4 for now. However, we will migrate to 2.11 soon.
On Sunday, 12 April 2020 00:32:41 UTC+5, Tatu Saloranta wrote: > > Good timing. Release was continuously delayed by new cve reports for > polymorphic deserialization, but today I decided that since there were > no open reports at this point, it'd be good time to cut release. See > my announcement I just sent. > > -+ Tatu +- > > On Sat, Apr 11, 2020 at 11:55 AM Ali Haider <[email protected] > <javascript:>> wrote: > > > > A lot of CVEs have gotten fixed in jackson-databind 2.9.10.4, for > example, the followings: > > > > * CVE-2019-16942 > > * CVE-2019-16943 > > * CVE-2019-17267 > > * CVE-2019-17531 > > > > Currently, we have to suppress these vulnerabilities otherwise our > builds would fail. > > > > Jackson-Release-2.9 micro patches list page shows the following: > > > > "jackson-databind 2.9.10.4 (NOT YET RELEASED)" > > > > Could we have any lead about when the jackson-databind 2.9.10.4 is going > to get released? > > > > Many thanks! > > > > -- > > You received this message because you are subscribed to the Google > Groups "jackson-user" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] <javascript:>. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/jackson-user/53cb845d-fd41-4cd5-b82f-862c233d748b%40googlegroups.com. > > > -- You received this message because you are subscribed to the Google Groups "jackson-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/7cae6ebb-fce7-42ee-bfdc-bd9f37fee75e%40googlegroups.com.
