For what it is worth, I went and backported all known CVE-related patches that were missing from 1.9 (some had been merged earlier). Maven build is still something that is missing; I suspect some kind folks at Red Hat and Atlassian have something since they have managed to publish forked versions (this may or may not be done by Maven build: I'm sure Nexus allows some form of direct import too).
-+ Tatu +- On Mon, Dec 18, 2017 at 12:52 PM, Gareth Smith <[email protected]> wrote: > Hi all, > > We currently include Jackson 1.x in one of our products and are interested > in having an official release of the 1.x stream (1.9.14) that includes the > patches from the 2.x stream to address CVE-2017-7525 & CVE-2017-15095. > Currently we've back-ported the 2.x commits to a local copy of the code and > build & bundle that, but we'd like to see that committed back to the repo > and released if possible. > > I understand that there are issues with the build process that are currently > blocking a further 1.x release: Do others have interest in seeing a 1.9.14 > release? We can provide some time and effort to try to get a release process > working again if there are people will to help us and explain what the > issues are and what needs to be resolved to make it happen. > > Thanks in advance, > Gareth > > -------------------- > > Note: The information contained in this message may be privileged and > confidential and protected from disclosure. If the reader of this message is > not the intended recipient, or an employee or agent responsible for > delivering this message to the intended recipient, you are hereby notified > that any dissemination, distribution or copying of this communication is > strictly prohibited. If you have received this communication in error, > please notify us immediately by replying to the message and deleting it from > your computer. Thank you. CafeX Communications. > > > -- > You received this message because you are subscribed to the Google Groups > "jackson-dev" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "jackson-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
