Hi Moritz, Am Freitag, den 22.01.2021, 21:03 +0100 schrieb Moritz Muehlenhoff: > Source: jackson-databind > Severity: important > X-Debbugs-Cc: car...@debian.org, a...@debian.org > > Starting with 2.10 (and thus in Bullseye) upstream makes safe default > typing required, the absense is no longer considered a security issue, > see e.g. here: > > https://github.com/FasterXML/jackson-databind/issues/2798 > > Not considered valid CVE for Jackson 2.10.0 and later (see > > https://medium.com/@cowtowncoder/jackson-2-10-safe-default-typing-2d018f0ce2ba) > > I'm wondering how to best convey this, maybe via a NEWS entry or > simply accept is as given?
I believe starting with 2.10 this is no longer security relevant because developers are required "to specify validator of type PolymorphicTypeValidator that will determine if deserialization of given class name is (or is not) allowed." (quote from the second link, the official announcement by upstream) That means a developer of a dependency of jackson-databind is still allowed to shoot oneself in the foot but you can't blame jackson-databind for it anymore. So beginning with 2.10 I would simply ignore similar issues in the security tracker. Regards, Markus
signature.asc
Description: This is a digitally signed message part
