Dear All Unfortunetelly there is no real fix for this in any of the Jackson releases, since the fix merged blacklists certain classes that should not be deserialized.
The blacklisting based fix is this https://github.com/FasterXML/jackson-databind/issues/1599 which is included here: Is only included in 2.7.9.3<https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.7.9.3> Central<https://mvnrepository.com/repos/central> 1<https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.7.9.3/usages> (Feb, 2018) 2.7.9.2<https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.7.9.2> Central<https://mvnrepository.com/repos/central> 6<https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.7.9.2/usages> (Dec, 2017) 2.7.9.1<https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.7.9.1> and 2.8.11.1<https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.8.11.1> Central<https://mvnrepository.com/repos/central> 13<https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.8.11.1/usages> (Feb, 2018) 2.8.11<https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.8.11> Central<https://mvnrepository.com/repos/central> 102<https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.8.11/usages> (Dec, 2017) 2.8.10<https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.8.10> Central<https://mvnrepository.com/repos/central> 541<https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.8.10/usages> (Aug, 2017) 2.8.9<https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.8.9> Central<https://mvnrepository.com/repos/central> 643<https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.8.9/usages> (Jun, 2017) 2.9.X branch does not contain the fixes https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.5 The fix in 2.8 branch https://github.com/FasterXML/jackson-databind/commit/60d459cedcf079c6106ae7da2ac562bc32dcabe1 is missing from 2.9 https://github.com/FasterXML/jackson-databind/blob/2.9/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializer.java I think there is not bullet proof solution for now. Cheers Denes From: <[email protected]> on behalf of "[email protected]" <[email protected]> Date: 2018. March 29., Thursday 2:34 To: "[email protected]" <[email protected]> Cc: "[email protected]" <[email protected]>, "[email protected]" <[email protected]> Subject: Re: [onap-discuss] [Onap-release] FYI - jackson-databind security fix 2.9.5 That's good news, Pam. Just let us know the result. We've been struggling with this issue for a long time as well. Best wishes. Guangrong Original Mail Sender: DRAGOSH,PAMELAL(PAM) <[email protected]> To: [email protected] <[email protected]>onap-release <[email protected]> Date: 2018/03/29 07:55 Subject: [Onap-release] FYI - jackson-databind security fix 2.9.5 _______________________________________________ Onap-release mailing list [email protected] https://lists.onap.org/mailman/listinfo/onap-release For teams with CLM issues regarding 2.9.4 and lower, just 2 days ago they released this version: https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.5 I am going to see if that clears my CLM issues for the policy projects. Wish my luck. Pam
_______________________________________________ onap-discuss mailing list [email protected] https://lists.onap.org/mailman/listinfo/onap-discuss
