Thank you! I saw the thread; good that the status of issues now seems to be correct wrt 2.6.7.4.
-+ Tatu +- On Thu, Feb 25, 2021 at 6:22 AM Mario Arzileiro <[email protected]> wrote: > Hello Tatu, > Thanks for the heads-up. > > I already follow up on the request for NIST by mentioning that thread in > order to update it. > > Must appreciate, > Mário > On Tuesday, February 23, 2021 at 7:55:13 PM UTC Tatu Saloranta wrote: > >> On Tue, Feb 23, 2021 at 11:26 AM Tatu Saloranta <[email protected]> >> wrote: >> > >> > On Tue, Feb 23, 2021 at 11:14 AM Tatu Saloranta <[email protected]> >> wrote: >> >> >> >> On Tue, Feb 23, 2021 at 3:22 AM Mario Arzileiro < >> [email protected]> wrote: >> >>> >> >>> Hello, >> >>> >> >>> Sorry if I wasn't clear, let me just enumerate some assumptions, if >> any of this is not true, please let me know and we can clarify if needed: >> >>> * You know what NVD from NIST identifies the CVEs of public >> components; >> >>> * You know that jackson-databind vulnerabilities are identified on >> NVD; >> >>> * You know that vulnerability scan tools (such as Synopsys Blackduck >> or Snyk) rely on NVD as Source of Truth. >> >>> >> >>> When I first contacted you, the vulnerabilities identified by NVD >> were not complete correct. There were a lot of CVEs that you already have >> fixed on jackson-databind:2.6.7.4. >> >>> I also contacted NIST about this issue and they already update their >> database. Now, they only identify 4 CVEs check this link. >> >>> >> >>> I think that right know, you just need to validate that the remaining >> CVEs are accurr, and if not, contact them too with further information. >> >> Of 4 remaining CVEs, 3 do affect 2.6.7.4 (information is correct), but >> one has been fixed in 2.6.7.4: >> >> * https://nvd.nist.gov/vuln/detail/CVE-2020-10673 / >> https://github.com/FasterXML/jackson-databind/issues/2660 >> >> I am not sure what the way is to indicate updated information, but I >> did update issue #2660 description to indicate that the fix >> was backported in 2.6 branch and released in 2.6.7.4. >> >> -+ Tatu +- >> > > *The content of this email is confidential and intended for the recipient > specified in message only. It is strictly prohibited to share any part of > this message with any third party, without a written consent of the sender. > If you received this message by mistake, please reply to this message and > follow with its deletion, so that we can ensure such a mistake does not > occur in the future.* > > -- > You received this message because you are subscribed to the Google Groups > "jackson-user" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jackson-user/856412d8-edac-4a47-b7f1-e3ccfe29ea71n%40googlegroups.com > <https://groups.google.com/d/msgid/jackson-user/856412d8-edac-4a47-b7f1-e3ccfe29ea71n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "jackson-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/CAGrxA25jwTuHBopJhmje9j-_MYrebN30WNo43CNaVm5fLNNKeA%40mail.gmail.com.
