Hello Tatu, Thanks for the heads-up. I already follow up on the request for NIST by mentioning that thread in order to update it.
Must appreciate, Mário On Tuesday, February 23, 2021 at 7:55:13 PM UTC Tatu Saloranta wrote: > On Tue, Feb 23, 2021 at 11:26 AM Tatu Saloranta <[email protected]> > wrote: > > > > On Tue, Feb 23, 2021 at 11:14 AM Tatu Saloranta <[email protected]> > wrote: > >> > >> On Tue, Feb 23, 2021 at 3:22 AM Mario Arzileiro <[email protected]> > wrote: > >>> > >>> Hello, > >>> > >>> Sorry if I wasn't clear, let me just enumerate some assumptions, if > any of this is not true, please let me know and we can clarify if needed: > >>> * You know what NVD from NIST identifies the CVEs of public components; > >>> * You know that jackson-databind vulnerabilities are identified on NVD; > >>> * You know that vulnerability scan tools (such as Synopsys Blackduck > or Snyk) rely on NVD as Source of Truth. > >>> > >>> When I first contacted you, the vulnerabilities identified by NVD were > not complete correct. There were a lot of CVEs that you already have fixed > on jackson-databind:2.6.7.4. > >>> I also contacted NIST about this issue and they already update their > database. Now, they only identify 4 CVEs check this link. > >>> > >>> I think that right know, you just need to validate that the remaining > CVEs are accurr, and if not, contact them too with further information. > > Of 4 remaining CVEs, 3 do affect 2.6.7.4 (information is correct), but > one has been fixed in 2.6.7.4: > > * https://nvd.nist.gov/vuln/detail/CVE-2020-10673 / > https://github.com/FasterXML/jackson-databind/issues/2660 > > I am not sure what the way is to indicate updated information, but I > did update issue #2660 description to indicate that the fix > was backported in 2.6 branch and released in 2.6.7.4. > > -+ Tatu +- > -- The content of this email is confidential and intended for the recipient specified in message only. It is strictly prohibited to share any part of this message with any third party, without a written consent of the sender. If you received this message by mistake, please reply to this message and follow with its deletion, so that we can ensure such a mistake does not occur in the future. -- You received this message because you are subscribed to the Google Groups "jackson-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/856412d8-edac-4a47-b7f1-e3ccfe29ea71n%40googlegroups.com.
