On Tue, Feb 23, 2021 at 11:26 AM Tatu Saloranta <[email protected]> wrote: > > On Tue, Feb 23, 2021 at 11:14 AM Tatu Saloranta <[email protected]> wrote: >> >> On Tue, Feb 23, 2021 at 3:22 AM Mario Arzileiro >> <[email protected]> wrote: >>> >>> Hello, >>> >>> Sorry if I wasn't clear, let me just enumerate some assumptions, if any of >>> this is not true, please let me know and we can clarify if needed: >>> * You know what NVD from NIST identifies the CVEs of public components; >>> * You know that jackson-databind vulnerabilities are identified on NVD; >>> * You know that vulnerability scan tools (such as Synopsys Blackduck or >>> Snyk) rely on NVD as Source of Truth. >>> >>> When I first contacted you, the vulnerabilities identified by NVD were not >>> complete correct. There were a lot of CVEs that you already have fixed on >>> jackson-databind:2.6.7.4. >>> I also contacted NIST about this issue and they already update their >>> database. Now, they only identify 4 CVEs check this link. >>> >>> I think that right know, you just need to validate that the remaining CVEs >>> are accurr, and if not, contact them too with further information.
Of 4 remaining CVEs, 3 do affect 2.6.7.4 (information is correct), but one has been fixed in 2.6.7.4: * https://nvd.nist.gov/vuln/detail/CVE-2020-10673 / https://github.com/FasterXML/jackson-databind/issues/2660 I am not sure what the way is to indicate updated information, but I did update issue #2660 description to indicate that the fix was backported in 2.6 branch and released in 2.6.7.4. -+ Tatu +- -- You received this message because you are subscribed to the Google Groups "jackson-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/CAL4a10iq4kyLiwG-SEb-NHaezLpKJG4SCpZxv3m81ARS6HpcTw%40mail.gmail.com.
