On Sun, Aug 4, 2019 at 6:36 PM Mark Derricutt <[email protected]> wrote: > > On 4 Jul 2019, at 2:42, Tatu Saloranta wrote: > > As per title, `2.9.9.1` of `jackson-databind` was released (ahead of > full `2.9.10` that will take longer), and contains fixes to 2 CVEs (of > polymorphic deser variety, see > > Tatu, > > I don't see an announcement of 2.9.9.2 of jackson-databind in the forum, but > I noticed when I resolved against it, I found an issue relating to the jdk8 > module. > > I've pushed a test project to > https://github.com/talios/broken-jackson-databind > > When I drop the jackson databank down to 2.9.9.1 - both tests pass. With > 2.9.9.2 only the test not using the Jdk8 module works. > > Hopefully this is a simple issue and a 2.9.9.3 can be rolled before 2.9.10?
Yes, this unfortunate regression was reported for 2.9.9.2, fixed in 2.9.9.3 and will be in 2.9.10 as well. Another minor glitch is that the first `jackson-bom` I released after 2.9.9.3 did not update reference, so there's another one that should be used: http://repo1.maven.org/maven2/com/fasterxml/jackson/jackson-bom/2.9.9.20190807/ -+ Tatu +- -- You received this message because you are subscribed to the Google Groups "jackson-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-dev/CAL4a10hYikPDYDF-Wd9sV_xzncZVyGEjMPUCeCCECiHHwarPiA%40mail.gmail.com.
