Jackson Release 2.8.9

Patch version of 2.8, not yet released. Following fixes are included.

Changes, core

Streaming

Databind

• #1585: Invoke ServiceLoader.load() inside of a privileged block when loading modules using ObjectMapper.findModules()
• #1599: Jackson Deserializer security vulnerability with default typing
• #1607: @JsonIdentityReference not used when setup on class only

Changes, dataformats

Protobuf

• #72: parser fails with /* comment */

Changes, other

Jackson jr

• #50: Duplicate key detection does not work