Jackson 2.9.10 is now out (with jackson-module-scala 2.9.9 to be released soon) and includes following fixes:
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.10 most of which are polymorphic deserialization related CVEs (see https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for background). Upgrade is recommended from earlier 2.9.x patch releases since many security tools will flag earlier versions as having vulnerabilities: otherwise number of fixes is low. This will very likely be the last full 2.9.x release; it is possible that micro-patch releases (2.9.10.1, 2.9.10.2 etc) may be made in future for `jackson-databind` and other components for critical fixes. But the focus otherwise is to get 2.10.0 released: hope is to get that release out within next 10 days, before end of September 2019. -+ Tatu +- -- You received this message because you are subscribed to the Google Groups "jackson-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to jackson-user+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/CAL4a10iJ66ORgatMHm-ianjy2mp4nX9hf7pUxyPFRyVfFMQiRQ%40mail.gmail.com.
