FasterXML jackson-databind before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath. Fix/Commit: https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2 Fixed in 2.8.11.1 (newly released) and 2.9.5 (when it is released). - Gentoo Security Padawan -
2.9.5 released 3/26/2018 with fix see: https://github.com/FasterXML/jackson-databind/blob/jackson-databind-2.9.5/release-notes/VERSION-2.x @Demetris, fyi 2.8.11 branch is milestone/testing.
Package removed from the Portage tree. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6599dc1625a0840c6280b60cc6cacf388fc8d049