RMB-504: Jackson-* version 2.10.0, fixes jackson-databind security. #549

julianladisch · 2019-11-05T11:54:52Z

Three serialization gadget (= polymorphic typing) security vulnerability issues have been reported against jackson-databind versions before 2.9.10.1:

jackson-databind 2.9.10.1 (released 2019-10-20) fixes

See also

…ties. Three serialization gadget (= polymorphic typing) security vulnerability issues have been reported against jackson-databind versions before 2.9.10.1: jackson-databind 2.9.10.1 (released 2019-10-20) fixes * commons-dbcp, p6spy ([CVE-2019-16942|https://nvd.nist.gov/vuln/detail/CVE-2019-16942] / [CVE-2019-16943|https://nvd.nist.gov/vuln/detail/CVE-2019-16943] = [jackson-databind #2478|FasterXML/jackson-databind#2478]) * log4j-extras/1.2 ([CVE-2019-17531|https://nvd.nist.gov/vuln/detail/CVE-2019-17531] = [jackson-databind #2498|FasterXML/jackson-databind#2498]) jackson-databind [2.9.10.2|https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9#micro-patches] (not yet released) fixes * ehcache/JNDI (CVEs to be allocated = [jackson-databind #2526|FasterXML/jackson-databind#2526]) See also * [On Jackson CVEs: Don't Panic — Here is what you need to know|https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062] * [Jackson 2.10 features (esp "Safe Default Typing" to vanquish stream of CVE patches!)|https://medium.com/@cowtowncoder/jackson-2-10-features-cd880674d8a2]

julianladisch requested review from adamdickmeiss, evaluk and hjiebsco November 5, 2019 11:55

adamdickmeiss approved these changes Nov 5, 2019

View reviewed changes

Merge branch 'master' into RMB-504-jackson-2.10.0

1085b2a

julianladisch merged commit b519181 into master Nov 5, 2019

julianladisch deleted the RMB-504-jackson-2.10.0 branch November 5, 2019 22:29

Provide feedback