On Wed, Jan 30, 2019 at 3:19 PM Penny Wells <penny.wells1...@gmail.com> wrote: > > We use jackson-databind 2.9.7 but cannot upgrade to 2.9.8 due to the > CVE-2018-19362. > I do see a bugfix applied into github for 2.9.8 but can't be sure as the CVE > does not have this information. > Can someon confirm for us that this CVE (CVE-2018-19362) is fixed in the > latest jackson-databind 2.9.8 ? > thanks, Penny, Oracle Corp.
I am bit hurt by your distrust of actual developers' information, as opposed to some CVE tracker somewhere that has little idea of what goes into which release :-o But, yes, fix to that CVE is in 2.9.8, as per official Release Notes: https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8 and linked to Github issue https://github.com/FasterXML/jackson-databind/issues/2186 which are canonical definitions of where fixes go. -+ Tatu +- ps. Pox on security scan tools and their makers who make money by essential spreading FUD and misinformation. -- You received this message because you are subscribed to the Google Groups "jackson-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to jackson-user+unsubscr...@googlegroups.com. To post to this group, send email to jackson-user@googlegroups.com. For more options, visit https://groups.google.com/d/optout.