Bug#980816: Clarify requirement for safe default typing?
Moritz Muehlenhoff
jmm at debian.org
Fri Jan 22 20:03:41 GMT 2021
Source: jackson-databind
Severity: important
X-Debbugs-Cc: carnil at debian.org, apo at debian.org
Starting with 2.10 (and thus in Bullseye) upstream makes safe default
typing required, the absense is no longer considered a security issue,
see e.g. here:
https://github.com/FasterXML/jackson-databind/issues/2798
| Not considered valid CVE for Jackson 2.10.0 and later (see
| https://medium.com/@cowtowncoder/jackson-2-10-safe-default-typing-2d018f0ce2ba)
I'm wondering how to best convey this, maybe via a NEWS entry or
simply accept is as given?
Cheers,
Moritz
More information about the pkg-java-maintainers
mailing list