-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security vulnerability DSA-4004-1 for CVE-2017-7525, in which release is it fixed #1837
Comments
Please have a look at issue #1599, if that might be what you are looking for. I think for |
Fixes the following security issue: FasterXML/jackson-databind#1599 FasterXML/jackson-databind#1837 Also include other jackson libraries in the target platform instead of embedding them via Bundle-ClassPath.
hi , |
@DKumars As per other issue, upgrade to a later version (2.8.11 or 2.9.4). Project does not have resources to backport fixes to older, closed branches. |
Tried with jackson-databind 2.9.4 version for that upgraded scala minor version to 11.
|
@poverma that sounds like a possible problem with |
Hi Tatu,
The new vulnerability is occurred
#1931. As we are using
jackson-databind v2.9.4 in production which is threat to system but when we
can expect 2.9.4.1 fix for this vulnerabilty.
Please confirm us.
…-Regards,
Dharmendra
On Wed, Jan 31, 2018 at 10:10 PM, Tatu Saloranta ***@***.***> wrote:
@DKumars <https://github.com/dkumars> As per other issue, upgrade to a
later version. Project does not have resources to backport fixes to older,
closed branches.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#1837 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AEamLuyEJCljltL1q4gaPhz5mjzsfmrkks5tQJdwgaJpZM4QoZDa>
.
--
-regards,
Dharmendra
|
Hi,
which release of fasterxml.jackson-databind has fixed the following security vulnerability ?
Best regards
Details:
Debian Security Advisory DSA-4037-1 [email protected]
https://www.debian.org/security/ Sebastien Delafond
November 16, 2017 https://www.debian.org/security/faq
Package : jackson-databind
CVE ID : CVE-2017-15095
It was discovered that jackson-databind, a Java library used to parse JSON and other data formats, improperly validated user input prior to deserializing: following DSA-4004-1 for CVE-2017-7525, an additional set of classes was identified as unsafe for deserialization.
For the old stable distribution (jessie), this problem has been fixed in version 2.4.2-2+deb8u2.
For the stable distribution (stretch), this problem has been fixed in version 2.8.6-1+deb9u2.
The text was updated successfully, but these errors were encountered: