Jackson-databind 2.9.10.6 micro-patch (via jackson-bom 2.9.10.20200824) was just released, with 4 polymorphic deserialization cve fixes (none of which is likely to affect anyone, 2 obscure libraries, 2 other extremely obscure -- but since they were reported appropriately blocked for abundance of precaution).
See release notes here: https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9 At this point the plan for 2.9 branch is to be fully closed by end of 2020. In addition the criteria for including further blocks for polymorphic types will be tightened further after September 1, 2020 so that only libraries that are referenced by at least 10 other public projects (as per https://mvnrepository.com/) qualify for inclusion (or, in rare case, class found in JDK or Android SDK). This change is to reduce toil of release new versions that address theoretical issues exposed by obscure third party libraries (the new micro-patch has 2 such blocks). Since there is already 2.11.0 available (and 2.10 and 2.11 both add features to fully block these attacks), we strongly recommend downstream projects to start migrating away from versions 2.9 and older, especially if you do use polymorphic deserialization as described on https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 Upgrade to 2.10.5 at least is recommended in general too, but is especially useful to make vuln scan tools happy. :) -+ Tatu +- -- You received this message because you are subscribed to the Google Groups "jackson-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/CAL4a10ghu1cMUQB32rg%2BsmC2WhHuH6_3-qxDvOsfE4Jg77z%2BKA%40mail.gmail.com.
