On Fri, Feb 19, 2021 at 7:48 AM Mario Arzileiro <mario.arzile...@feedzai.com> wrote:
> Hi, > > I was checking the information that we have available for > jackson-databind:2.6.7.4 on NIST NVD and it is showing Vulnerabilities > (CVEs) that are already fixed. > > Link for jackson-databind:2.6.7.4: > https://nvd.nist.gov/products/cpe/detail/844569 > Link for the vulnerabilities list "here > <https://nvd.nist.gov/vuln/search/results?adv_search=true&query=cpe%3A2.3%3Aa%3Afasterxml%3Ajackson-databind%3A2.6.7.4%3A*%3A*%3A*%3A*%3A*%3A*%3A*> > ". > > List of vulnerabilities fixed and the corresponding fixed version: > > CVE | Fixed version > CVE-2018-11307 | 2.6.7.3 > CVE-2019-16942 | 2.6.7.3 > CVE-2020-9547 | 2.6.7.4 > CVE-2019-20330 | 2.6.7.4 > CVE-2020-8840 | 2.6.7.4 > CVE-2020-9546 | 2.6.7.4 > CVE-2020-9548 | 2.6.7.4 > CVE-2019-16335 | 2.6.7.3 > CVE-2017-15095 | 2.6.7.2 > CVE-2019-14893 | 2.6.7.3 > CVE-2019-17267 | 2.6.7.3 > CVE-2019-14540 | 2.6.7.3 > CVE-2020-11111 | 2.6.7.4 > CVE-2020-11113 | 2.6.7.4 > CVE-2020-10672 | 2.6.7.4 > CVE-2020-10969 | 2.6.7.4 > CVE-2020-10968 | 2.6.7.4 > CVE-2020-10673 | 2.6.7.4 > CVE-2020-11112 | 2.6.7.4 > CVE-2020-14060 | 2.6.7.4 > CVE-2020-11620 | 2.6.7.4 > CVE-2020-24616 | 2.6.7.4 > CVE-2020-14195 | 2.6.7.4 > CVE-2020-11619 | 2.6.7.4 > CVE-2020-24750 | 2.6.7.4 > CVE-2020-14061 | 2.6.7.4 > CVE-2020-14062 | 2.6.7.4 > > Please let me know if you are aware of it, and when are you expecting to > have this fixed. > > I am not quite sure what the question here is. What is not fixed, where? According to whom? Since most CVEs are against jackson-databind, you can see issue tracker here: https://github.com/FasterXML/jackson-databind/issues/ and either search for "cve" (usually mentioned in the title), or label "cve". Release notes under https://github.com/FasterXML/jackson-databind/blob/master/release-notes/VERSION-2.x contain updates too, although if you are interested in branch 2.6, you'll have to check that branch (under 'release-notes/2.6). Note, however, that branch 2.6 is not maintained and it is unlikely anything would be fixed or released for that branch, beyond what has been backported by community members (Amazon OSS folks have been helpful with that). -+ Tatu +- > Best regards, > > *The content of this email is confidential and intended for the recipient > specified in message only. It is strictly prohibited to share any part of > this message with any third party, without a written consent of the sender. > If you received this message by mistake, please reply to this message and > follow with its deletion, so that we can ensure such a mistake does not > occur in the future.* > > -- > You received this message because you are subscribed to the Google Groups > "jackson-user" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to jackson-user+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/jackson-user/2fb7c750-4f62-4154-a753-808e79c64a7an%40googlegroups.com > <https://groups.google.com/d/msgid/jackson-user/2fb7c750-4f62-4154-a753-808e79c64a7an%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "jackson-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to jackson-user+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/CAGrxA27y_4B7RciUp5H7EX7fZVkizJnUFsEvWUmBaBUOsUFeXA%40mail.gmail.com.
