2018-03-30 5:14 GMT+02:00 song6...@gmail.com <song6...@gmail.com>: > My team need to fix CVE-2018-7489 in few days and there's lots code changes > if we migrate to 2.5.x. > Where I can find the release schedule plans for struts2?
Not sure what do you mean by that? This vulnerability is only possible to happen when you are using @JsonTypeInfo on Object (which means you are using a very broad pattern) or if enabled "default typing" in Jackson. Please read this [1] article for a full story [1] https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 Regards -- Ćukasz + 48 606 323 122 http://www.lenart.org.pl/ --------------------------------------------------------------------- To unsubscribe, e-mail: user-unsubscr...@struts.apache.org For additional commands, e-mail: user-h...@struts.apache.org