Jackson-databind 2.9.10.4 micro-patch (via jackson-bom 2.9.10.20200411) released -- 4 CVEs -- was just released. See release notes here:
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9 At this point there may still be one more micro-patch coming if there are CVE reports; however, plan is to fully close 2.9 branch by end of September, 2020. Since there is already 2.11.0 available (and 2.10 and 2.11 both add features to fully block these attacks), there is little point in adding blocks for ever more obscure 3rd party libraries. So please consider migrating away from Jackson 2.9 and earlier versions, especially if you do use polymorphic deserialization as described on https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 (upgrade recommended in general, but from security perspective problems only apply to certain types of polymorphic deserialization) -+ Tatu +- -- You received this message because you are subscribed to the Google Groups "jackson-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/CAL4a10gaVf0%2BU9G5Nea9Ssy0jn8L4oZzDz2p0df%3Dxh2TjxVWSg%40mail.gmail.com.
