So, the full list of fixes found from: https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8
With 15 fixes, including one for "polymorphic default typing" CVE (databind#2186), and another for potential DoS attacks (java-8-datatypes#90 / core#488), upgrade at least from previous 2.9.x is strongly recommended. CVE fix has been backported in 2.8.11.3 and 2.7.9.5 as well. I am hoping to finally slow down 2.9.x development (was to happen with 2.9.7 already :) ), and focus on getting 2.10.0 out -- that may take until early 2019, but is in progress. Another Wiki page that may be useful for anyone interested in daily work is: https://github.com/FasterXML/jackson-future-ideas/wiki/Jackson-Work-in-Progress which I try to keep up-to-date regarding what I work on; given that number of Github issues, tagging there, can't quite scale. There is also Gitter group at: https://gitter.im/FasterXML/jackson-databind where I try to be present every now and then. -+ Tatu +- -- You received this message because you are subscribed to the Google Groups "jackson-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
