backport fix of #292 to version 2.6.x

[agebhar1]

Spring Boot upgrade Jackson to version 2.8 with release of 1.4 - this leads to spring-boot/issues/6508 in combination of a embedded Elasticsearch (version 2.3.4) which still uses Jackson 2.6.6.

There is a on going discussion on downgrade Jackson to 2.6.x for the a next (minor) release of Spring Boot spring-boot/issues/6536. There are concerns w.r.t. #292.

Is there any chance to get #292 backported to 2.6.x?

Thx in advance!

[agebhar1]

There will be a downgrade to Jackson 2.7.x spring-projects/spring-boot/issues/6536 so this is obsolete for Spring Boot. But Elasticsearch 2.3.x/2.4.x could benefit of the backport Update Jackson 2.6.2 -> 2.6.6 (latest and final 2.6 patch) 💭

[cowtowncoder]

Regarding 2.6: there are no plans for full 2.6 release (last one is 2.6.7, as per https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.6.7 -- to flush fixes that were added after 2.6.6), although there is always a possibility of targeted micro-patches.
So if there is demand, 2.6.7.1 of jackson-dataformat-xml could be released. However, I would prefer upgrade to 2.7 or 2.8 instead where possible.

If release of 2.6.7.1 is desired, let me know. Due to high visibility of the CVE I am open to backport, just want to know that such work is useful and valuable to user community.

[cowtowncoder]

Closing for now.

[agebhar1]

@cowtowncoder sorry for (very) late answering - thx for your help