jackson-databind (2.9.8-3+deb10u3) buster; urgency=medium * Non-maintainer upload by the LTS team. * Add patch to fix: - CVE-2020-24616: Block one more gadget type (Anteros-DBCP) - CVE-2020-24750: Block one more gadget type (com.pastdev.httpcomponents) - CVE-2020-25649: setExpandEntityReferences(false) may not prevent external entity expansion in all cases - CVE-2020-35490 and CVE-2020-35491: Block 2 more gadget types (commons-dbcp2) - CVE-2020-35728: Block one more gadget type (org.glassfish.web/javax.servlet.jsp.jstl) - CVE-2020-36179, CVE-2020-36180, CVE-2020-36181, and CVE-2020-36182: Block some more DBCP-related potential gadget classes - CVE-2020-36183: Block one more gadget type (org.docx4j.org.apache:xalan-interpretive) - CVE-2020-36184 and CVE-2020-36185: Block 2 more gadget types (org.apache.tomcat/tomcat-dbcp) - CVE-2020-36186 and CVE-2020-36187: Block 2 more gadget types (tomcat/naming-factory-dbcp) - CVE-2020-36188 and CVE-2020-36189: Block 2 more gadget types (newrelic-agent) - CVE-2021-20190: Block one more gadget type (javax.swing) -- Utkarsh Gupta Sat, 24 Apr 2021 19:56:57 +0530 jackson-databind (2.9.8-3+deb10u2) buster; urgency=medium * Add multiple-CVE-BeanDeserializerFactory.patch and block more classes from polymorphic deserialization. This fixes 20 CVE that currently affect the package namely, CVE-2020-9548, CVE-2020-9547, CVE-2020-9546, CVE-2020-8840, CVE-2020-14195, CVE-2020-14062, CVE-2020-14061, CVE-2020-14060, CVE-2020-11620, CVE-2020-11619, CVE-2020-11113, CVE-2020-11112, CVE-2020-11111, CVE-2020-10969, CVE-2020-10968, CVE-2020-10673, CVE-2020-10672, CVE-2019-20330, CVE-2019-17531 and CVE-2019-17267. -- Markus Koschany Thu, 09 Jul 2020 17:21:32 +0200 jackson-databind (2.9.8-3+deb10u1) buster-security; urgency=high * Fix CVE-2019-12384, CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942 and CVE-2019-16943. Several deserialization flaws were discovered in jackson-databind which could allow an unauthenticated user to perform code execution. The issue was resolved by extending the blacklist and blocking more classes from polymorphic deserialization. -- Markus Koschany Sat, 05 Oct 2019 19:39:24 +0200 jackson-databind (2.9.8-3) unstable; urgency=medium * Team upload. * Fix CVE-2019-12814 and CVE-2019-12384: More Polymorphic Typing issues were discovered in jackson-databind. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x or logback-core jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server. (Closes: #930750) -- Markus Koschany Sat, 22 Jun 2019 00:28:48 +0200 jackson-databind (2.9.8-2) unstable; urgency=medium * Team upload. * Fix CVE-2019-12086: A Polymorphic Typing issue was discovered in jackson-databind. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation. (Closes: #929177) -- Markus Koschany Sat, 18 May 2019 20:31:28 +0200 jackson-databind (2.9.8-1) unstable; urgency=medium * Team upload. * New upstream release - Depend on libjackson2-core-java (>= 2.9.8) * Standards-Version updated to 4.3.0 * Use salsa.debian.org Vcs-* URLs -- Emmanuel Bourg Sun, 30 Dec 2018 11:03:14 +0100 jackson-databind (2.9.5-1) unstable; urgency=medium * Team upload. * New upstream version 2.9.5. - Fix CVE-2018-7489: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries. (Closes: #891614) * Remove --has-package-version flag. -- Markus Koschany Tue, 27 Mar 2018 17:36:36 +0200 jackson-databind (2.9.4-1) unstable; urgency=medium * Team upload. * New upstream version 2.9.4. - Fix CVE-2018-5968: bypass of deserialization blacklist related to CVE-2017-7525 and CVE-2017-17485. (Closes: #888316) - Fix CVE-2017-17485: unauthenticated remote code execution because of an incomplete fix for CVE-2017-7525. (Closes: #888318) * Use compat level 11. * Declare compliance with Debian Policy 4.1.3. -- Markus Koschany Thu, 25 Jan 2018 14:45:19 +0100 jackson-databind (2.9.1-1) unstable; urgency=medium * Team upload. * New upstream version 2.9.1. - Fixes CVE-2017-7525: Deserialization vulnerability via readValue method of ObjectMapper (Closes: #870848) - Builds fine with Java 9. (Closes: #875411) * Declare compliance with Debian Policy 4.1.1. * Tighten B-D on jackson-core and jackson-annotations. * Add libmaven-shade-plugin-java to B-D. -- Markus Koschany Thu, 12 Oct 2017 00:31:43 +0200 jackson-databind (2.8.6-1) unstable; urgency=medium * Team upload. * New upstream release -- Emmanuel Bourg Mon, 16 Jan 2017 01:49:15 +0100 jackson-databind (2.8.5-2) unstable; urgency=medium * Team upload. * Added the missing build dependency on build-helper-maven-plugin (Closes: #848734) * Use maven-replacer-plugin instead of debian/replace-generate.sh * Merged the Build-Depends-Indep field into Build-Depends -- Emmanuel Bourg Wed, 21 Dec 2016 00:12:35 +0100 jackson-databind (2.8.5-1) unstable; urgency=medium * Team upload. * New upstream release - Depend on libjackson2-{core,annotations}-java (>= 2.8.5) * Switch to debhelper level 10 -- Emmanuel Bourg Thu, 15 Dec 2016 15:56:57 +0100 jackson-databind (2.7.4-1) unstable; urgency=medium * Team upload. * New upstream release * Depend on groovy instead of groovy2 -- Emmanuel Bourg Fri, 13 May 2016 10:12:03 +0200 jackson-databind (2.7.3-1) unstable; urgency=medium * Team upload. * New upstream release - Refreshed the patch - Ignore the new test dependencies - Tightened the dependency on libjackson2-{core,annotations}-java - Removed the dependency on libcglib3-java * Standards-Version updated to 3.9.8 (no changes) * Use secure Vcs-* URLs -- Emmanuel Bourg Fri, 08 Apr 2016 15:10:22 +0200 jackson-databind (2.4.2-3) unstable; urgency=medium * Team upload. * Transition to Groovy 2 -- Emmanuel Bourg Fri, 20 Nov 2015 13:06:01 +0100 jackson-databind (2.4.2-2) unstable; urgency=medium * Team upload. * Build depend on libcglib3-java instead of libcglib-java * Standards-Version updated to 3.9.6 (no changes) * Removed the build dependency on libmaven-cobertura-plugin-java -- Emmanuel Bourg Mon, 29 Sep 2014 16:30:49 +0200 jackson-databind (2.4.2-1) unstable; urgency=medium * Team upload. * New upstream release. * ignoreRules: Ignore replacer. * ignoreRules: Ignore release plugin. * control: Add libmaven-bundle-plugin to build-deps. * fix-using-bundle.diff: Use extensions with bundle plugin. * maven.{publishedR,r}ules: Fix version mangling. * control: Bump dependency on -core and -annotations. * properties: Set encoding to UTF-8. * control: Add libmaven-cobertura-plugin-java to build-depends. -- Timo Aaltonen Wed, 24 Sep 2014 17:14:02 +0300 jackson-databind (2.2.2-2) unstable; urgency=low * Team upload. * Update Maven settings to use correct coordinates for Groovy 1.8.x. (Closes: #750267). * Bump Standards-Version to 3.9.5. No changes were required. -- Miguel Landaeta Mon, 26 May 2014 14:53:06 -0300 jackson-databind (2.2.2-1) unstable; urgency=low * Initial release. (Closes: #720504) -- Wolodja Wentland Thu, 22 Aug 2013 15:24:34 +0000