diff options
| author | Tatu Saloranta <tatu.saloranta@iki.fi> | 2020-04-30 18:16:04 -0700 |
|---|---|---|
| committer | Tatu Saloranta <tatu.saloranta@iki.fi> | 2020-04-30 18:16:04 -0700 |
| commit | eb0326046ed214cb7f7aa83c956b1d7d37cb0448 (patch) | |
| tree | 64181f13ede205662d8b957109c0ee67be3b2702 /release-notes | |
| parent | f9ce7f42f746c4448adeefeffde7074fd8368a38 (diff) | |
| parent | fe2dda780df3f29f44b7c347b3910132e538e32f (diff) | |
| download | jackson-databind-eb0326046ed214cb7f7aa83c956b1d7d37cb0448.tar.gz | |
Merge branch '2.11' into 2.12
Diffstat (limited to 'release-notes')
| -rw-r--r-- | release-notes/VERSION-2.x | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x index 0d6bc3eba..6a82bf8a6 100644 --- a/release-notes/VERSION-2.x +++ b/release-notes/VERSION-2.x @@ -475,7 +475,7 @@ Project: jackson-databind (reported by Alexander S) #1854: NPE deserializing collection with `@JsonCreator` and `ACCEPT_CASE_INSENSITIVE_PROPERTIES` (reported by rue-jw@github) -#1855: Blacklist for more serialization gadgets (dbcp/tomcat, spring) +#1855: Blacklist for more serialization gadgets (dbcp/tomcat, spring, CVE-2017-17485) #1859: Issue handling unknown/unmapped Enum keys (reported by remya11@github) #1868: Class name handling for JDK unmodifiable Collection types changed @@ -686,9 +686,9 @@ Project: jackson-databind #1872: `NullPointerException` in `SubTypeValidator.validateSubType` when validating Spring interface (reported by Rob W) -#1899: Another two gadgets to exploit default typing issue in jackson-databind +#1899: Another two gadgets to exploit default typing issue (CVE-2018-5968) (reported by OneSourceCat@github) -#1931: Two more `c3p0` gadgets to exploit default typing issue +#1931: Two more `c3p0` gadgets to exploit default typing issue (c3p0, CVE-2018-7489) 2.8.11 (24-Dec-2017) @@ -702,7 +702,7 @@ Project: jackson-databind (reported by henryptung@github) #1807: Jackson-databind caches plain map deserializer and use it even map has `@JsonDeserializer` (reported by lexas2509@github) -#1855: Blacklist for more serialization gadgets (dbcp/tomcat, spring) +#1855: Blacklist for more serialization gadgets (dbcp/tomcat, spring / CVE-2017-17485) 2.8.10 (24-Aug-2017) @@ -718,7 +718,7 @@ Project: jackson-databind binary formats (CBOR, Smile) #1735: Missing type checks when using polymorphic type ids (reported by Lukas Euler) -#1737: Block more JDK types from polymorphic deserialization +#1737: Block more JDK types from polymorphic deserialization (CVE 2017-15095) 2.8.9 (12-Jun-2017) @@ -743,7 +743,7 @@ Project: jackson-databind #1585: Invoke ServiceLoader.load() inside of a privileged block when loading modules using `ObjectMapper.findModules()` (contributed by Ivo S) -#1599: Jackson Deserializer security vulnerability +#1599: Jackson Deserializer security vulnerability (CVE-2017-7525) (reported by ayound@github) #1607: @JsonIdentityReference not used when setup on class only (reported by vboulaye@github) |