Skip to content

Jackson Release 2.6.7.x

Tatu Saloranta edited this page Oct 16, 2019 · 17 revisions

After last full version of 2.6, 2.6.7, was released branch was closed. However, following micro-patches have been released since.

Databind, 2.6.7.1 (11-Jul-2017)

An important security fix (see 1599 below) was backported into 2.6.x branch, resulting in patch version with following fixes:

  • #1383: Problem with @JsonCreator with 1-arg factory-method, implicit param names
  • #1599: Backport the extra safety checks for polymorphic deserialization

Databind, 2.6.7.2 (13-Nov-2018)

As per earlier cases, CVE-related backport(s):

  • #1737: Block more JDK types from polymorphic deserialization

Databind, 2.6.7.3 (16-Oct-2019)

Backported all CVE fixes up to 2.9.10

Clone this wiki locally