When will Guava updated for CVE-2018-10237?

[guruxu]

@cowtowncoder any plan to bump up the version of guava to address CVE-2018-10237 soon?

[cowtowncoder]

I don't think upgrading to latest Guava version can happen any time soon, due to Guava's aggressive versioning. Unless there is a backport to earlier versions.

But as to CVE in question: if I understand it correctly, it wouldn't seem like it would affect Jackson usage -- Jackson does not use JDK serialization for its operation, nor methods that would cause pre-allocation.
Or am I misunderstanding the problem here?

[plokhotnyuk]

Should not that classes be black-listed?

[cowtowncoder]

@plokhotnyuk only if there is an attack vector, and it seems to me that based on description there isn't.
To me description suggested that attack would require accepting JDK serialized payload of affected classes to be deserialized, and this is not how Jackson works. So even thought it is an example of general serialization attack, it is not something that is ever done with Jackson: Jackson guava datatype handles its own serialization to/from JSON (and other formats).

Of course I may have misunderstood the issue: if so I would like to understand the issue better.

[cowtowncoder]

2.10.0 of the module will at least allow versions up to 25, wrt version range, as per #34