This is patch release completes 10 issues, with two especially noteworthy changes, and a number of other smaller bug fixes and enhancements.
- The default Jackson deserializer will now reject duplicate JSON members by default in an attempt to be a little more strict at rejecting potentially malicious or malformed JSON. This is a default and can be overridden with a custom
ObjectMapperif desired. - Password-based JWE encryption key algorithms (
PBES2_HS256_A128KW,PBES2_HS384_A192KWandPBES2_HS512_A256KW) now enforce an upper bound (maximum) number of iterations allowed during decryption to mitigate against potential DoS attacks. Many thanks to Jingcheng Yang and Jianjun Chen from Sichuan University and Zhongguancun Lab for their work on this!
A number of other issues fixed: thread-safe ServiceLoader usage for dynamic JSON processor lookup, Android enhancements for JSON Reader APIs, fixed Elliptic Curve field element padding, and more. Please read the 0.12.4 CHANGELOG for full details of all of these changes, and as always, project documentation is in the 0.12.4 README.
Please allow 30 minutes from the time this announcement is published for the release to be available in Maven Central.