Skip to content

Jackson Release 2.6.7.x

Jump to bottom
Tatu Saloranta edited this page Oct 16, 2019 · 17 revisions

After last full version of 2.6, 2.6.7, was released branch was closed. However, following micro-patches have been released since.

Databind, 2.6.7.1 (11-Jul-2017)

An important security fix (see 1599 below) was backported into 2.6.x branch, resulting in patch version with following fixes:

  • #1383: Problem with @JsonCreator with 1-arg factory-method, implicit param names
  • #1599: Backport the extra safety checks for polymorphic deserialization

Databind, 2.6.7.2 (13-Nov-2018)

As per earlier cases, CVE-related backport(s):

  • #1737: Block more JDK types from polymorphic deserialization

Databind, 2.6.7.3 (16-Oct-2019)

Backported all CVE fixes up to 2.9.10

  • #1680: Block more JDK gadget types (com.sun.rowset)
  • #1855: Block more serialization gadgets (dbcp/tomcat, spring / CVE-2017-17485]
  • #1899: Another two gadgets to exploit default typing issue in jackson-databind (CVE-2018-5968)
  • #2032: Block one more gadget type (mybatis, CVE-2018-11307)
  • #2052: Block one more gadget type (jodd-db, CVE-2018-12022)
  • #2058: Block one more gadget type (oracle-jdbc, CVE-2018-12023)
  • #2097: Block more classes from polymorphic deserialization (CVE-2018-14718 - CVE-2018-14721)
  • #2186: Block more classes from polymorphic deserialization (CVE-2018-19360, CVE-2018-19361, CVE-2018-19362)
  • #2326: Block one more gadget type (mysql, CVE-2019-12086)
  • #2334: Block one more gadget type (logback, CVE-2019-12384)
  • #2341: Block yet another gadget type (jdom, CVE-2019-12814)
  • #2387: Block one more gadget type (ehcache, CVE-2019-14379)
  • #2389: Block one more gadget type (logback, CVE-2019-14439)
  • #2410: Block one more gadget type (HikariCP, CVE-2019-14540)
  • #2420: Block one more gadget type (cxf-jax-rs, no CVE allocated yet)
  • #2449: Block one more gadget type (HikariCP, CVE-2019-14439 / CVE-2019-16335)
  • #2462: Block two more gadget types (commons-configuration/-2)
  • #2478: Block two more gadget types (commons-dbcp, p6spy, CVE-2019-16942 / CVE-2019-16943)
  • #2498: Block one more gadget type (apache-log4j-extras/1.2, CVE-2019-17531)

Clone this wiki locally