-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
Jackson Release 2.6.7.x
Tatu Saloranta edited this page Oct 16, 2019
·
17 revisions
After last full version of 2.6, 2.6.7, was released branch was closed. However, following micro-patches have been released since.
An important security fix (see 1599
below) was backported into 2.6.x branch, resulting in patch version with following fixes:
-
#1383: Problem with
@JsonCreator
with 1-arg factory-method, implicit param names - #1599: Backport the extra safety checks for polymorphic deserialization
As per earlier cases, CVE-related backport(s):
- #1737: Block more JDK types from polymorphic deserialization
Backported all CVE fixes up to 2.9.10