From 06a67f73d8e81b309c2cd27ea3fed672b97ec9c2 Mon Sep 17 00:00:00 2001 From: Tatu Saloranta Date: Sun, 26 Apr 2020 09:51:00 -0700 Subject: update release notes --- release-notes/VERSION-2.x | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'release-notes') diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x index 558ef5bb4..bcf076409 100644 --- a/release-notes/VERSION-2.x +++ b/release-notes/VERSION-2.x @@ -229,7 +229,7 @@ Project: jackson-databind (reported by Alexander S) #1854: NPE deserializing collection with `@JsonCreator` and `ACCEPT_CASE_INSENSITIVE_PROPERTIES` (reported by rue-jw@github) -#1855: Blacklist for more serialization gadgets (dbcp/tomcat, spring) +#1855: Blacklist for more serialization gadgets (dbcp/tomcat, spring, CVE-2017-17485) #1859: Issue handling unknown/unmapped Enum keys (reported by remya11@github) #1868: Class name handling for JDK unmodifiable Collection types changed -- cgit v1.2.3 From 2bb2e2927fde0c83fcb2a0fd2f88f554d4c94bf9 Mon Sep 17 00:00:00 2001 From: Tatu Saloranta Date: Sun, 26 Apr 2020 09:52:04 -0700 Subject: update 2.8 release notes --- release-notes/VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'release-notes') diff --git a/release-notes/VERSION b/release-notes/VERSION index c4f1ac9f1..ad985ba3b 100644 --- a/release-notes/VERSION +++ b/release-notes/VERSION @@ -77,7 +77,7 @@ Project: jackson-databind (reported by henryptung@github) #1807: Jackson-databind caches plain map deserializer and use it even map has `@JsonDeserializer` (reported by lexas2509@github) -#1855: Blacklist for more serialization gadgets (dbcp/tomcat, spring) +#1855: Blacklist for more serialization gadgets (dbcp/tomcat, spring / CVE-2017-17485) 2.8.10 (24-Aug-2017) -- cgit v1.2.3 From 7a5f3f9112f673fac3c742a9a29c6c137201955f Mon Sep 17 00:00:00 2001 From: Tatu Saloranta Date: Sun, 26 Apr 2020 09:55:05 -0700 Subject: add cve id for 2.8 release notes wrt #1737 fix --- release-notes/VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'release-notes') diff --git a/release-notes/VERSION b/release-notes/VERSION index ad985ba3b..e1d75525f 100644 --- a/release-notes/VERSION +++ b/release-notes/VERSION @@ -91,7 +91,7 @@ Project: jackson-databind #1711: Delegating creator fails to work for binary data (`byte[]`) with binary formats (CBOR, Smile) #1735: Missing type checks when using polymorphic type ids -#1737: Block more JDK types from polymorphic deserialization +#1737: Block more JDK types from polymorphic deserialization (CVE 2017-15095) 2.8.9 (12-Jun-2017) -- cgit v1.2.3 From ff427dd21d4809e3c1f75b48ee3a4f1e2caf3d84 Mon Sep 17 00:00:00 2001 From: Tatu Saloranta Date: Sun, 26 Apr 2020 10:05:16 -0700 Subject: Update CVE id for #1599 in 2.8 release notes --- release-notes/VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'release-notes') diff --git a/release-notes/VERSION b/release-notes/VERSION index e1d75525f..52c641028 100644 --- a/release-notes/VERSION +++ b/release-notes/VERSION @@ -116,7 +116,7 @@ Project: jackson-databind #1585: Invoke ServiceLoader.load() inside of a privileged block when loading modules using `ObjectMapper.findModules()` (contributed by Ivo S) -#1599: Jackson Deserializer security vulnerability +#1599: Jackson Deserializer security vulnerability (CVE-2017-7525) (reported by ayound@github) #1607: @JsonIdentityReference not used when setup on class only (reported by vboulaye@github) -- cgit v1.2.3 From f9a9122f78d145084b3f2dc2cd982f2ed3cbd199 Mon Sep 17 00:00:00 2001 From: Tatu Saloranta Date: Sun, 26 Apr 2020 10:09:34 -0700 Subject: Yet more 2.8 release note updates --- release-notes/VERSION | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'release-notes') diff --git a/release-notes/VERSION b/release-notes/VERSION index 52c641028..5f8a75b4e 100644 --- a/release-notes/VERSION +++ b/release-notes/VERSION @@ -61,9 +61,9 @@ Project: jackson-databind #1872: `NullPointerException` in `SubTypeValidator.validateSubType` when validating Spring interface (reported by Rob W) -#1899: Another two gadgets to exploit default typing issue in jackson-databind +#1899: Another two gadgets to exploit default typing issue (CVE-2018-5968) (reported by OneSourceCat@github) -#1931: Two more `c3p0` gadgets to exploit default typing issue +#1931: Two more `c3p0` gadgets to exploit default typing issue (c3p0, CVE-2018-7489) 2.8.11 (24-Dec-2017) -- cgit v1.2.3