File: changelog

package info (click to toggle)
jackson-databind 2.11.1-1
  • links: PTS, VCS
  • area: main
  • in suites: bullseye, sid
  • size: 11,052 kB
  • sloc: java: 122,898; xml: 162; sh: 5; makefile: 4
file content (227 lines) | stat: -rw-r--r-- 8,225 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
jackson-databind (2.11.1-1) unstable; urgency=medium

  * New upstream version 2.11.1.
    - Exclude the javadocs from the source tarball because they require more
      than 500 MB disk space.
    - Fixes CVE-2020-9548, CVE-2020-9547, CVE-2020-9546, CVE-2020-8840,
      CVE-2020-14195, CVE-2020-14062, CVE-2020-14061, CVE-2020-14060,
      CVE-2020-11620, CVE-2020-11619, CVE-2020-11113, CVE-2020-11112,
      CVE-2020-11111, CVE-2020-10969, CVE-2020-10968, CVE-2020-10673,
      CVE-2020-10672.
  * Switch to debhelper-compat = 13.
  * Refresh base-pom.patch.
  * Remove README.source.

 -- Markus Koschany <apo@debian.org>  Thu, 09 Jul 2020 13:53:55 +0200

jackson-databind (2.10.2-1) unstable; urgency=medium

  * New upstream version 2.10.2.
  * Declare compliance with Debian Policy 4.5.0.

 -- Markus Koschany <apo@debian.org>  Sun, 16 Feb 2020 14:27:13 +0100

jackson-databind (2.10.1-1) unstable; urgency=medium

  * New upstream version 2.10.1.
  * Drop CVE-2019-16942-and-CVE-2019-16943.patch. Fixed upstream.

 -- Markus Koschany <apo@debian.org>  Sun, 15 Dec 2019 16:07:37 +0100

jackson-databind (2.10.0-2) unstable; urgency=high

  * Fix CVE-2019-16942 and CVE-2019-16943.
    Block two more gadget types (commons-dbcp, p6spy). (Closes: #941530)

 -- Markus Koschany <apo@debian.org>  Thu, 03 Oct 2019 15:48:58 +0200

jackson-databind (2.10.0-1) unstable; urgency=medium

  * Team upload.
  * New upstream version 2.10.0.
    -Fix CVE-2019-14540 and CVE-2019-16335: Polymorphic Typing issues.
    (Closes: #940498) Thanks to Salvatore Bonaccorso for the report.
  * Declare compliance with Debian Policy 4.4.1.
  * Update base-pom.patch for new release.
  * Remove Wolodja Wentland from Uploaders. Add myself to it. (Closes: #898140)

 -- Markus Koschany <apo@debian.org>  Sun, 29 Sep 2019 21:51:57 +0200

jackson-databind (2.9.9.3-1) unstable; urgency=medium

  * Team upload.
  * New upstream version 2.9.9.3.
    - Fix CVE-2019-14439 and CVE-2019-14379. Thanks to Salvatore Bonaccorso for
      the report. (Closes: #933393)
  * Drop all patches. These are all part of the latest upstream release.
  * Switch to debhelper-compat = 12.
  * Declare compliance with Debian Policy 4.4.0.

 -- Markus Koschany <apo@debian.org>  Tue, 13 Aug 2019 00:26:52 +0200

jackson-databind (2.9.8-3) unstable; urgency=medium

  * Team upload.
  * Fix CVE-2019-12814 and CVE-2019-12384:
    More Polymorphic Typing issues were discovered in jackson-databind. When
    Default Typing is enabled (either globally or for a specific property) for
    an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x or
    logback-core jar in the classpath, an attacker can send a specifically
    crafted JSON message that allows them to read arbitrary local files on the
    server. (Closes: #930750)

 -- Markus Koschany <apo@debian.org>  Sat, 22 Jun 2019 00:28:48 +0200

jackson-databind (2.9.8-2) unstable; urgency=medium

  * Team upload.
  * Fix CVE-2019-12086:
    A Polymorphic Typing issue was discovered in jackson-databind. When
    Default Typing is enabled (either globally or for a specific property) for
    an externally exposed JSON endpoint, the service has the
    mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an
    attacker can host a crafted MySQL server reachable by the victim, an
    attacker can send a crafted JSON message that allows them to read arbitrary
    local files on the server. This occurs because of missing
    com.mysql.cj.jdbc.admin.MiniAdmin validation. (Closes: #929177)

 -- Markus Koschany <apo@debian.org>  Sat, 18 May 2019 20:31:28 +0200

jackson-databind (2.9.8-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Depend on libjackson2-core-java (>= 2.9.8)
  * Standards-Version updated to 4.3.0
  * Use salsa.debian.org Vcs-* URLs

 -- Emmanuel Bourg <ebourg@apache.org>  Sun, 30 Dec 2018 11:03:14 +0100

jackson-databind (2.9.5-1) unstable; urgency=medium

  * Team upload.
  * New upstream version 2.9.5.
    - Fix CVE-2018-7489: incomplete fix for CVE-2017-7525 permits unsafe
      serialization via c3p0 libraries. (Closes: #891614)
  * Remove --has-package-version flag.

 -- Markus Koschany <apo@debian.org>  Tue, 27 Mar 2018 17:36:36 +0200

jackson-databind (2.9.4-1) unstable; urgency=medium

  * Team upload.
  * New upstream version 2.9.4.
    - Fix CVE-2018-5968: bypass of deserialization blacklist related to
      CVE-2017-7525 and CVE-2017-17485. (Closes: #888316)
    - Fix CVE-2017-17485: unauthenticated remote code execution
      because of an incomplete fix for CVE-2017-7525. (Closes: #888318)
  * Use compat level 11.
  * Declare compliance with Debian Policy 4.1.3.

 -- Markus Koschany <apo@debian.org>  Thu, 25 Jan 2018 14:45:19 +0100

jackson-databind (2.9.1-1) unstable; urgency=medium

  * Team upload.
  * New upstream version 2.9.1.
    - Fixes CVE-2017-7525: Deserialization vulnerability via readValue
      method of ObjectMapper (Closes: #870848)
    - Builds fine with Java 9. (Closes: #875411)
  * Declare compliance with Debian Policy 4.1.1.
  * Tighten B-D on jackson-core and jackson-annotations.
  * Add libmaven-shade-plugin-java to B-D.

 -- Markus Koschany <apo@debian.org>  Thu, 12 Oct 2017 00:31:43 +0200

jackson-databind (2.8.6-1) unstable; urgency=medium

  * Team upload.
  * New upstream release

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 16 Jan 2017 01:49:15 +0100

jackson-databind (2.8.5-2) unstable; urgency=medium

  * Team upload.
  * Added the missing build dependency on build-helper-maven-plugin
    (Closes: #848734)
  * Use maven-replacer-plugin instead of debian/replace-generate.sh
  * Merged the Build-Depends-Indep field into Build-Depends

 -- Emmanuel Bourg <ebourg@apache.org>  Wed, 21 Dec 2016 00:12:35 +0100

jackson-databind (2.8.5-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Depend on libjackson2-{core,annotations}-java (>= 2.8.5)
  * Switch to debhelper level 10

 -- Emmanuel Bourg <ebourg@apache.org>  Thu, 15 Dec 2016 15:56:57 +0100

jackson-databind (2.7.4-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
  * Depend on groovy instead of groovy2

 -- Emmanuel Bourg <ebourg@apache.org>  Fri, 13 May 2016 10:12:03 +0200

jackson-databind (2.7.3-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patch
    - Ignore the new test dependencies
    - Tightened the dependency on libjackson2-{core,annotations}-java
    - Removed the dependency on libcglib3-java
  * Standards-Version updated to 3.9.8 (no changes)
  * Use secure Vcs-* URLs

 -- Emmanuel Bourg <ebourg@apache.org>  Fri, 08 Apr 2016 15:10:22 +0200

jackson-databind (2.4.2-3) unstable; urgency=medium

  * Team upload.
  * Transition to Groovy 2

 -- Emmanuel Bourg <ebourg@apache.org>  Fri, 20 Nov 2015 13:06:01 +0100

jackson-databind (2.4.2-2) unstable; urgency=medium

  * Team upload.
  * Build depend on libcglib3-java instead of libcglib-java
  * Standards-Version updated to 3.9.6 (no changes)
  * Removed the build dependency on libmaven-cobertura-plugin-java

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 29 Sep 2014 16:30:49 +0200

jackson-databind (2.4.2-1) unstable; urgency=medium

  * Team upload.
  * New upstream release.
  * ignoreRules: Ignore replacer.
  * ignoreRules: Ignore release plugin.
  * control: Add libmaven-bundle-plugin to build-deps.
  * fix-using-bundle.diff: Use extensions with bundle plugin.
  * maven.{publishedR,r}ules: Fix version mangling.
  * control: Bump dependency on -core and -annotations.
  * properties: Set encoding to UTF-8.
  * control: Add libmaven-cobertura-plugin-java to build-depends.

 -- Timo Aaltonen <tjaalton@debian.org>  Wed, 24 Sep 2014 17:14:02 +0300

jackson-databind (2.2.2-2) unstable; urgency=low

  * Team upload.
  * Update Maven settings to use correct coordinates for Groovy 1.8.x.
    (Closes: #750267).
  * Bump Standards-Version to 3.9.5. No changes were required.

 -- Miguel Landaeta <nomadium@debian.org>  Mon, 26 May 2014 14:53:06 -0300

jackson-databind (2.2.2-1) unstable; urgency=low

  * Initial release. (Closes: #720504)

 -- Wolodja Wentland <debian@babilen5.org>  Thu, 22 Aug 2013 15:24:34 +0000