Skip to content

Commit b471e77

Browse files
cowtowncodercowtowncoder
committed
Merge branch '2.9' into 2.10
2 parents f0430de + 716f3f9 commit b471e77

File tree

1 file changed

+6
-6
lines changed

1 file changed

+6
-6
lines changed

release-notes/VERSION-2.x

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -405,7 +405,7 @@ Project: jackson-databind
405405
(reported by Alexander S)
406406
#1854: NPE deserializing collection with `@JsonCreator` and `ACCEPT_CASE_INSENSITIVE_PROPERTIES`
407407
(reported by rue-jw@github)
408-
#1855: Blacklist for more serialization gadgets (dbcp/tomcat, spring)
408+
#1855: Blacklist for more serialization gadgets (dbcp/tomcat, spring, CVE-2017-17485)
409409
#1859: Issue handling unknown/unmapped Enum keys
410410
(reported by remya11@github)
411411
#1868: Class name handling for JDK unmodifiable Collection types changed
@@ -616,9 +616,9 @@ Project: jackson-databind
616616
#1872: `NullPointerException` in `SubTypeValidator.validateSubType` when
617617
validating Spring interface
618618
(reported by Rob W)
619-
#1899: Another two gadgets to exploit default typing issue in jackson-databind
619+
#1899: Another two gadgets to exploit default typing issue (CVE-2018-5968)
620620
(reported by OneSourceCat@github)
621-
#1931: Two more `c3p0` gadgets to exploit default typing issue
621+
#1931: Two more `c3p0` gadgets to exploit default typing issue (c3p0, CVE-2018-7489)
622622
623623
2.8.11 (24-Dec-2017)
624624
@@ -632,7 +632,7 @@ Project: jackson-databind
632632
(reported by henryptung@github)
633633
#1807: Jackson-databind caches plain map deserializer and use it even map has `@JsonDeserializer`
634634
(reported by lexas2509@github)
635-
#1855: Blacklist for more serialization gadgets (dbcp/tomcat, spring)
635+
#1855: Blacklist for more serialization gadgets (dbcp/tomcat, spring / CVE-2017-17485)
636636

637637
2.8.10 (24-Aug-2017)
638638

@@ -648,7 +648,7 @@ Project: jackson-databind
648648
binary formats (CBOR, Smile)
649649
#1735: Missing type checks when using polymorphic type ids
650650
(reported by Lukas Euler)
651-
#1737: Block more JDK types from polymorphic deserialization
651+
#1737: Block more JDK types from polymorphic deserialization (CVE 2017-15095)
652652

653653
2.8.9 (12-Jun-2017)
654654

@@ -673,7 +673,7 @@ Project: jackson-databind
673673
#1585: Invoke ServiceLoader.load() inside of a privileged block when loading
674674
modules using `ObjectMapper.findModules()`
675675
(contributed by Ivo S)
676-
#1599: Jackson Deserializer security vulnerability
676+
#1599: Jackson Deserializer security vulnerability (CVE-2017-7525)
677677
(reported by ayound@github)
678678
#1607: @JsonIdentityReference not used when setup on class only
679679
(reported by vboulaye@github)

0 commit comments

Comments
 (0)