Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Two more c3p0 gadgets to exploit default typing issue [CVE-2018-7489] #1931 #1984

Closed
DKumars opened this issue Mar 26, 2018 · 6 comments
Closed

Two more c3p0 gadgets to exploit default typing issue [CVE-2018-7489] #1931 #1984

DKumars opened this issue Mar 26, 2018 · 6 comments

Comments

@DKumars
Copy link

DKumars commented Mar 26, 2018

Hi Team ,

As we are using jackson-databind 2.9.4 in our production system and we got one vulnerability in it
"Two more c3p0 gadgets to exploit default typing issue [CVE-2018-7489] #1931" as mentioned in #1931 tag. For this fix , please let us know when we can have new release like 2.9.5 or patch for this fix as 2.9.4.1and its now very important for our product. Please help to share new release date for this fix.
-Regards,
Dharmendra
@vdotjansen
Copy link

If I interpret the #1972 (comment) from @cowtowncoder I think it should be release this month.

@cowtowncoder
Copy link
Member

@DKumars Please do not use issue tracker for asking questions. This is literally what mailing lists are for:

https://groups.google.com/forum/#!forum/jackson-user

(or jackson-dev)

As to 2.9.5, release is starting now and all components should be available within next 24 hours, excluding Scala module (which takes longer as there's no active maintainer).

@DKumars
Copy link
Author

DKumars commented Mar 28, 2018 via email

@vdotjansen
Copy link

vdotjansen commented Mar 28, 2018
edited
Loading

@DKumars Have you checked both the public maven repositories and the releases button on github?
Please be aware that maven repositories search engines (like for example https://search.maven.org/ and https://mvnrepository.com/ ) are often delayed.

@DKumars
Copy link
Author

DKumars commented Mar 28, 2018

Its visible at https://mvnrepository.com/ but not at https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind.
Anyways Thanks for your update

@cowtowncoder
Copy link
Member

Yes, Maven Central is where releases always go.

Announcements are done on Twitter (@fasterxml) and on mailing lists (https://groups.google.com/forum/#!forum/jackson-user and .../jackson-dev)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cowtowncoder @vdotjansen @DKumars