1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
|
jackson-databind (2.12.1-1+deb11u1) bullseye-security; urgency=high
* Team upload.
* Fix CVE-2022-42003:
In FasterXML jackson-databind resource exhaustion can
occur because of a lack of a check in primitive value deserializers to
avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS
feature is enabled.
* Fix CVE-2022-42004:
In FasterXML jackson-databind resource exhaustion can occur because of a
lack of a check in BeanDeserializerBase.deserializeFromArray to prevent use of
deeply nested arrays. An application is vulnerable only with certain
customized choices for deserialization.
* Fix CVE-2020-36518:
Java StackOverflow exception and denial of service via a large depth of
nested objects.
-- Markus Koschany <apo@debian.org> Tue, 15 Nov 2022 13:39:24 +0100
jackson-databind (2.12.1-1) unstable; urgency=medium
* Team upload.
* New upstream release
- Refreshed the patch
- Depend on libjackson2-annotations-java (>= 2.12.1)
* Standards-Version updated to 4.5.1
-- Emmanuel Bourg <ebourg@apache.org> Sun, 17 Jan 2021 23:46:32 +0100
jackson-databind (2.11.1-1) unstable; urgency=medium
* New upstream version 2.11.1.
- Exclude the javadocs from the source tarball because they require more
than 500 MB disk space.
- Fixes CVE-2020-9548, CVE-2020-9547, CVE-2020-9546, CVE-2020-8840,
CVE-2020-14195, CVE-2020-14062, CVE-2020-14061, CVE-2020-14060,
CVE-2020-11620, CVE-2020-11619, CVE-2020-11113, CVE-2020-11112,
CVE-2020-11111, CVE-2020-10969, CVE-2020-10968, CVE-2020-10673,
CVE-2020-10672.
* Switch to debhelper-compat = 13.
* Refresh base-pom.patch.
* Remove README.source.
-- Markus Koschany <apo@debian.org> Thu, 09 Jul 2020 13:53:55 +0200
jackson-databind (2.10.2-1) unstable; urgency=medium
* New upstream version 2.10.2.
* Declare compliance with Debian Policy 4.5.0.
-- Markus Koschany <apo@debian.org> Sun, 16 Feb 2020 14:27:13 +0100
jackson-databind (2.10.1-1) unstable; urgency=medium
* New upstream version 2.10.1.
* Drop CVE-2019-16942-and-CVE-2019-16943.patch. Fixed upstream.
-- Markus Koschany <apo@debian.org> Sun, 15 Dec 2019 16:07:37 +0100
jackson-databind (2.10.0-2) unstable; urgency=high
* Fix CVE-2019-16942 and CVE-2019-16943.
Block two more gadget types (commons-dbcp, p6spy). (Closes: #941530)
-- Markus Koschany <apo@debian.org> Thu, 03 Oct 2019 15:48:58 +0200
jackson-databind (2.10.0-1) unstable; urgency=medium
* Team upload.
* New upstream version 2.10.0.
-Fix CVE-2019-14540 and CVE-2019-16335: Polymorphic Typing issues.
(Closes: #940498) Thanks to Salvatore Bonaccorso for the report.
* Declare compliance with Debian Policy 4.4.1.
* Update base-pom.patch for new release.
* Remove Wolodja Wentland from Uploaders. Add myself to it. (Closes: #898140)
-- Markus Koschany <apo@debian.org> Sun, 29 Sep 2019 21:51:57 +0200
jackson-databind (2.9.9.3-1) unstable; urgency=medium
* Team upload.
* New upstream version 2.9.9.3.
- Fix CVE-2019-14439 and CVE-2019-14379. Thanks to Salvatore Bonaccorso for
the report. (Closes: #933393)
* Drop all patches. These are all part of the latest upstream release.
* Switch to debhelper-compat = 12.
* Declare compliance with Debian Policy 4.4.0.
-- Markus Koschany <apo@debian.org> Tue, 13 Aug 2019 00:26:52 +0200
jackson-databind (2.9.8-3) unstable; urgency=medium
* Team upload.
* Fix CVE-2019-12814 and CVE-2019-12384:
More Polymorphic Typing issues were discovered in jackson-databind. When
Default Typing is enabled (either globally or for a specific property) for
an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x or
logback-core jar in the classpath, an attacker can send a specifically
crafted JSON message that allows them to read arbitrary local files on the
server. (Closes: #930750)
-- Markus Koschany <apo@debian.org> Sat, 22 Jun 2019 00:28:48 +0200
jackson-databind (2.9.8-2) unstable; urgency=medium
* Team upload.
* Fix CVE-2019-12086:
A Polymorphic Typing issue was discovered in jackson-databind. When
Default Typing is enabled (either globally or for a specific property) for
an externally exposed JSON endpoint, the service has the
mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an
attacker can host a crafted MySQL server reachable by the victim, an
attacker can send a crafted JSON message that allows them to read arbitrary
local files on the server. This occurs because of missing
com.mysql.cj.jdbc.admin.MiniAdmin validation. (Closes: #929177)
-- Markus Koschany <apo@debian.org> Sat, 18 May 2019 20:31:28 +0200
jackson-databind (2.9.8-1) unstable; urgency=medium
* Team upload.
* New upstream release
- Depend on libjackson2-core-java (>= 2.9.8)
* Standards-Version updated to 4.3.0
* Use salsa.debian.org Vcs-* URLs
-- Emmanuel Bourg <ebourg@apache.org> Sun, 30 Dec 2018 11:03:14 +0100
jackson-databind (2.9.5-1) unstable; urgency=medium
* Team upload.
* New upstream version 2.9.5.
- Fix CVE-2018-7489: incomplete fix for CVE-2017-7525 permits unsafe
serialization via c3p0 libraries. (Closes: #891614)
* Remove --has-package-version flag.
-- Markus Koschany <apo@debian.org> Tue, 27 Mar 2018 17:36:36 +0200
jackson-databind (2.9.4-1) unstable; urgency=medium
* Team upload.
* New upstream version 2.9.4.
- Fix CVE-2018-5968: bypass of deserialization blacklist related to
CVE-2017-7525 and CVE-2017-17485. (Closes: #888316)
- Fix CVE-2017-17485: unauthenticated remote code execution
because of an incomplete fix for CVE-2017-7525. (Closes: #888318)
* Use compat level 11.
* Declare compliance with Debian Policy 4.1.3.
-- Markus Koschany <apo@debian.org> Thu, 25 Jan 2018 14:45:19 +0100
jackson-databind (2.9.1-1) unstable; urgency=medium
* Team upload.
* New upstream version 2.9.1.
- Fixes CVE-2017-7525: Deserialization vulnerability via readValue
method of ObjectMapper (Closes: #870848)
- Builds fine with Java 9. (Closes: #875411)
* Declare compliance with Debian Policy 4.1.1.
* Tighten B-D on jackson-core and jackson-annotations.
* Add libmaven-shade-plugin-java to B-D.
-- Markus Koschany <apo@debian.org> Thu, 12 Oct 2017 00:31:43 +0200
jackson-databind (2.8.6-1) unstable; urgency=medium
* Team upload.
* New upstream release
-- Emmanuel Bourg <ebourg@apache.org> Mon, 16 Jan 2017 01:49:15 +0100
jackson-databind (2.8.5-2) unstable; urgency=medium
* Team upload.
* Added the missing build dependency on build-helper-maven-plugin
(Closes: #848734)
* Use maven-replacer-plugin instead of debian/replace-generate.sh
* Merged the Build-Depends-Indep field into Build-Depends
-- Emmanuel Bourg <ebourg@apache.org> Wed, 21 Dec 2016 00:12:35 +0100
jackson-databind (2.8.5-1) unstable; urgency=medium
* Team upload.
* New upstream release
- Depend on libjackson2-{core,annotations}-java (>= 2.8.5)
* Switch to debhelper level 10
-- Emmanuel Bourg <ebourg@apache.org> Thu, 15 Dec 2016 15:56:57 +0100
jackson-databind (2.7.4-1) unstable; urgency=medium
* Team upload.
* New upstream release
* Depend on groovy instead of groovy2
-- Emmanuel Bourg <ebourg@apache.org> Fri, 13 May 2016 10:12:03 +0200
jackson-databind (2.7.3-1) unstable; urgency=medium
* Team upload.
* New upstream release
- Refreshed the patch
- Ignore the new test dependencies
- Tightened the dependency on libjackson2-{core,annotations}-java
- Removed the dependency on libcglib3-java
* Standards-Version updated to 3.9.8 (no changes)
* Use secure Vcs-* URLs
-- Emmanuel Bourg <ebourg@apache.org> Fri, 08 Apr 2016 15:10:22 +0200
jackson-databind (2.4.2-3) unstable; urgency=medium
* Team upload.
* Transition to Groovy 2
-- Emmanuel Bourg <ebourg@apache.org> Fri, 20 Nov 2015 13:06:01 +0100
jackson-databind (2.4.2-2) unstable; urgency=medium
* Team upload.
* Build depend on libcglib3-java instead of libcglib-java
* Standards-Version updated to 3.9.6 (no changes)
* Removed the build dependency on libmaven-cobertura-plugin-java
-- Emmanuel Bourg <ebourg@apache.org> Mon, 29 Sep 2014 16:30:49 +0200
jackson-databind (2.4.2-1) unstable; urgency=medium
* Team upload.
* New upstream release.
* ignoreRules: Ignore replacer.
* ignoreRules: Ignore release plugin.
* control: Add libmaven-bundle-plugin to build-deps.
* fix-using-bundle.diff: Use extensions with bundle plugin.
* maven.{publishedR,r}ules: Fix version mangling.
* control: Bump dependency on -core and -annotations.
* properties: Set encoding to UTF-8.
* control: Add libmaven-cobertura-plugin-java to build-depends.
-- Timo Aaltonen <tjaalton@debian.org> Wed, 24 Sep 2014 17:14:02 +0300
jackson-databind (2.2.2-2) unstable; urgency=low
* Team upload.
* Update Maven settings to use correct coordinates for Groovy 1.8.x.
(Closes: #750267).
* Bump Standards-Version to 3.9.5. No changes were required.
-- Miguel Landaeta <nomadium@debian.org> Mon, 26 May 2014 14:53:06 -0300
jackson-databind (2.2.2-1) unstable; urgency=low
* Initial release. (Closes: #720504)
-- Wolodja Wentland <debian@babilen5.org> Thu, 22 Aug 2013 15:24:34 +0000
|
