After collecting CVE reports for polymorphic deserialization for a while (about 1-2 per week), I finally decided to cut one more, possibly final, micro-patch of `jackson-databind` 2.9. Release should be available via Maven Central about now.
Once 2.11.0 is released, 2.9 branch will be closed for good and no more patches will be accepted (earlier branches are already closed), so now would be a good time to start preparing for upgrade to 2.10 (or 2.11). Micro-patch can be referred directly via jackson-databind version 2.9.10.4, or, preferably by using `jackson-bom` version 2.9.10.20200411 which has compatible set of latest Jackson 2.9.x components (most are 2.9.10, databind and kotlin have micro-patches). Full set of issues fixed can be found from: https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9 but essentially it is all about Polymorphic Deserialization class reject list, as per: https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 -+ Tatu +- -- You received this message because you are subscribed to the Google Groups "jackson-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/CAL4a10jWsMA5mwFd1B43kvf40p5eQfKVkpJWPaoK_2f%2BreEB9w%40mail.gmail.com.
