jackson-core - Debian Package Tracker

general

source: jackson-core (main)
version: 2.14.1-2
maintainer: Debian Java Maintainers (archive) (DMD)
uploaders: Markus Koschany [DMD] – Mechtilde Stehmann [DMD]
arch: all
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2.12.1-1
oldstable: 2.14.1-1
stable: 2.14.1-1
testing: 2.14.1-1
unstable: 2.14.1-2

versioned links

2.12.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.14.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.14.1-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libjackson2-core-java

action needed

A new upstream version is available: 3.1.2 high

A new upstream version 3.1.2 is available, you should consider packaging it.

Created: 2025-11-27 Last update: 2026-04-20 13:32

1 security issue in trixie high

There is 1 open security issue in trixie.

1 important issue:

CVE-2025-52999: jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources.

Created: 2025-06-26 Last update: 2026-04-16 06:01

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

CVE-2025-52999: jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources.

Created: 2025-08-09 Last update: 2026-04-16 06:01

2 security issues in bullseye high

There are 2 open security issues in bullseye.

1 important issue:

CVE-2025-52999: jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources.

1 issue postponed or untriaged:

CVE-2025-49128: (postponed; to be fixed through a stable update) Jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. Starting in version 2.0.0 and prior to version 2.13.0, a flaw in jackson-core's `JsonLocation._appendSourceDesc` method allows up to 500 bytes of unintended memory content to be included in exception messages. When parsing JSON from a byte array with an offset and length, the exception message incorrectly reads from the beginning of the array instead of the logical payload start. This results in possible information disclosure in systems using pooled or reused buffers, like Netty or Vert.x. This issue was silently fixed in jackson-core version 2.13.0, released on September 30, 2021, via PR #652. All users should upgrade to version 2.13.0 or later. If upgrading is not immediately possible, applications can mitigate the issue by disabling exception message exposure to clients to avoid returning parsing exception messages in HTTP responses and/or disabling source inclusion in exceptions to prevent Jackson from embedding any source content in exception messages, avoiding leakage.

Created: 2025-06-26 Last update: 2026-04-16 06:01

1 security issue in bookworm high

There is 1 open security issue in bookworm.

1 important issue:

CVE-2025-52999: jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources.

Created: 2025-06-26 Last update: 2026-04-16 06:01

Multiarch hinter reports 1 issue(s) normal

There are issues with the multiarch metadata for this package.

libjackson2-core-java could be marked Multi-Arch: foreign

Created: 2016-09-14 Last update: 2026-04-20 15:01

lintian reports 2 warnings normal

Lintian reports 2 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2022-12-20 Last update: 2026-04-16 09:02

5 open merge requests in Salsa normal

There are 5 open merge requests for this package on Salsa. You should consider reviewing and/or merging these merge requests.

Created: 2025-08-19 Last update: 2025-09-07 19:37

debian/patches: 2 patches to forward upstream low

Among the 3 debian patches available in version 2.14.1-2 of the package, we noticed the following issues:

2 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2026-04-16 11:47

testing migrations

excuses:
- Migration status for jackson-core (2.14.1-1 to 2.14.1-2): Waiting for test results or another package, or too young (no action required now - check later)
- Issues preventing migration:
- ∙ ∙ Too young, only 4 of 5 days old
- Additional info (not blocking):
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/j/jackson-core.html
- ∙ ∙ Reproduced on amd64
- ∙ ∙ Reproduced on arm64
- ∙ ∙ Reproduced on armhf
- ∙ ∙ Reproduced on i386
- ∙ ∙ Reproduced on ppc64el
- Not considered

news

[rss feed]

[2026-04-15] Accepted jackson-core 2.14.1-2 (source) into unstable (Markus Koschany)
[2022-12-25] jackson-core 2.14.1-1 MIGRATED to testing (Debian testing watch)
[2022-12-19] Accepted jackson-core 2.14.1-1 (source) into unstable (Emmanuel Bourg)
[2022-11-17] jackson-core 2.14.0-2 MIGRATED to testing (Debian testing watch)
[2022-11-12] Accepted jackson-core 2.14.0-2 (source) into unstable (Markus Koschany)
[2022-11-12] Accepted jackson-core 2.14.0-1 (source) into unstable (Markus Koschany)
[2021-11-09] jackson-core 2.13.0-2 MIGRATED to testing (Debian testing watch)
[2021-11-04] Accepted jackson-core 2.13.0-2 (source) into unstable (Markus Koschany)
[2021-10-22] Accepted jackson-core 2.13.0-1 (source) into unstable (Markus Koschany)
[2021-01-22] jackson-core 2.12.1-1 MIGRATED to testing (Debian testing watch)
[2021-01-16] Accepted jackson-core 2.12.1-1 (source) into unstable (Emmanuel Bourg)
[2020-12-31] jackson-core 2.12.0-1 MIGRATED to testing (Debian testing watch)
[2020-12-26] Accepted jackson-core 2.12.0-1 (source) into unstable (Mechtilde Stehmann)
[2020-11-13] jackson-core 2.11.3-1 MIGRATED to testing (Debian testing watch)
[2020-11-08] Accepted jackson-core 2.11.3-1 (source) into unstable (Mechtilde Stehmann)
[2020-03-13] jackson-core 2.10.3-1 MIGRATED to testing (Debian testing watch)
[2020-03-08] Accepted jackson-core 2.10.3-1 (source) into unstable (Mechtilde Stehmann)
[2019-12-29] jackson-core 2.10.1-1 MIGRATED to testing (Debian testing watch)
[2019-12-23] Accepted jackson-core 2.10.1-1 (source) into unstable (Mechtilde Stehmann)
[2019-10-04] jackson-core 2.10.0-1 MIGRATED to testing (Debian testing watch)
[2019-09-28] Accepted jackson-core 2.10.0-1 (source) into unstable (Mechtilde Stehmann)
[2019-09-15] Accepted jackson-core 2.9.9-1 (source all) into unstable (Mechtilde Stehmann)
[2019-01-04] jackson-core 2.9.8-3 MIGRATED to testing (Debian testing watch)
[2018-12-29] Accepted jackson-core 2.9.8-3 (source) into unstable (Emmanuel Bourg)
[2018-12-29] Accepted jackson-core 2.9.8-2 (source) into unstable (Emmanuel Bourg)
[2018-12-28] Accepted jackson-core 2.9.8-1 (source) into unstable (Emmanuel Bourg)
[2018-01-31] jackson-core 2.9.4-1 MIGRATED to testing (Debian testing watch)
[2018-01-25] Accepted jackson-core 2.9.4-1 (source) into unstable (Markus Koschany)
[2017-10-17] jackson-core 2.9.1-1 MIGRATED to testing (Debian testing watch)
[2017-10-11] Accepted jackson-core 2.9.1-1 (source) into unstable (Markus Koschany)

bugs [bug history graph]

all: 0

links

homepage
lintian (0, 2)
buildd: logs, reproducibility
popcon
browse source code
other distros
security tracker
debian patches

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2.14.1-1build1