Ok here is something that I think would be of interest to many of you: there is a new report covering recently completed security audit of Jackson core components by AdaLogics, under OSTIF effort:
https://ostif.org/our-audits-of-jackson-core-and-jackson-databind-are-complete/ report itself being found under main Jackson repo, linked to from main README.md as well as SECURITY.md: https://github.com/FasterXML/jackson/blob/master/docs/AdaLogics-Security-Audit-Jackson-2022.pdf I know that a stream of CVEs reported against Jackson has been frustrating for everybody, myself included. But one big reason that I haven't talked about (due to things being in-progress) for increase has been this effort, which has systematically searched for various edge conditions. And while I don't always (... or often maybe :) ) agree with severity assignments, or even sometimes true vulnerability, I think it is great that we get everything -- even somewhat hypothetical issues -- reported and can fix them, just to be safe. Put another way: we have made big progress resolving all kinds of issues that many libraries have, but that are not (yet!) known. Security and safety are big concerns for the project, similar to how they are big concerns for many users (especially bigger corporations). So this research is useful especially for the long term. Anyway; I think the report is worth reading for anyone interested in Java library security and challenges in general, or Jackson security aspects in particular. -+ Tatu +- ps. Jackson 2.14.0 to be released over upcoming weekend! Please send us any concerns wrt 2.14.0-rc3. -- You received this message because you are subscribed to the Google Groups "jackson-user" group. To unsubscribe from this group and stop receiving emails from it, send an email to jackson-user+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jackson-user/CAL4a10iF_xN3fpU1gGZOeubXeKnObODFzENHdQJ0N%3DusvF5fvA%40mail.gmail.com.