Source: jackson-databind Severity: important X-Debbugs-Cc: car...@debian.org, a...@debian.org
Starting with 2.10 (and thus in Bullseye) upstream makes safe default typing required, the absense is no longer considered a security issue, see e.g. here: https://github.com/FasterXML/jackson-databind/issues/2798 | Not considered valid CVE for Jackson 2.10.0 and later (see | https://medium.com/@cowtowncoder/jackson-2-10-safe-default-typing-2d018f0ce2ba) I'm wondering how to best convey this, maybe via a NEWS entry or simply accept is as given? Cheers, Moritz
