Quick announcement: Jackson 2.9 support (releasing new micro-patches) will end on December 31, 2020. But before this, starting September 15, 2020, a new criteria will be used on kinds of vulnerabilities that will be accepted to be worked on (and for which CVE IDs will be allocated by the project).
This is outlined on Wiki: https://github.com/FasterXML/jackson/wiki/Jackson-Polymorphic-Deserialization-CVE-Criteria but the basic idea is that we will only accept reports for "gadget" classes in: * JDK 8 (or later) * Publicly available, "popular enough" libraries with 20 or more dependencies from other libraries (as per https://mvnrepository.com) This criteria is added since a few classes have been reported on libraries that do not seem to be used by anything else; I think security researchers are not scanning full set of libraries and over time will find matches from things no one uses, and there is no value in adding blocks in such cases. -+ Tatu +- -- You received this message because you are subscribed to the Google Groups "jackson-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-dev/CAGrxA25dsxwCN5PfngmMhmiTNmAaX3_%2BHAUyNDPdbWRwEMx_xg%40mail.gmail.com.
