Control: clone 941530 -1 Control: retitle -1 jackson-databind: consider using a whitelist Control: severity -1 wishlist
Hi, Am 02.10.19 um 09:43 schrieb Salvatore Bonaccorso: [...] > Whilst I'm not yet sure if we should really release a futher DSA for > jackson-databind (we will come back to you on that), a possible idea > for bullseye (might be better cloned/filled as new bug, but want to > mention it here already): > > https://bugzilla.redhat.com/show_bug.cgi?id=1731271 > > Red Hat recently had fixed a CVE for codehaus. The approach they took > there was to rather continuing on jackson-databind side (that is my > interpretation), they started a whitelist approach on the applications > side which use jackson-databind. > > This might be something to consider for bullseye as well for the > reverse dependencies. Not sure if this is feasible in our case, but > this might be worth investigating. Good idea. Let's investigate this solution. I will track that in another bug report. Regards, Markus
signature.asc
Description: OpenPGP digital signature