jackson-databind (2.14.0+ds-2) unstable; urgency=medium [ Otto Kekäläinen ] * Enable Salsa CI to help avoid testable regressions before upload to Debian * Fix broken Homepage link and add current upstream metadata. The site wiki.fasterxml.com no longer exists. Replace it with link to the current wiki location. Also add a metadata file following DEP-12, so it is easier for both maintainers to find the correct upstream websites, as well as for `git-buildpackage --add-upstreamvcs` feature to work. * Define Debian packaging repository conventions in gbp.conf. Add a git-buildpackage config file to show explicitly what conventions this Debian source package repository uses. This way it is easier for current maintainer to do e.g. new upstream version imports, as there are less arguments that need to be passed to `gbp` commands, and also for any future maintainer/contributor there is less guesswork. [ Markus Koschany ] * Add CVE-2025-52999.patch and fix a FBTFS due to changes in jackson-core. (Closes: #1135410) -- Markus Koschany Sat, 06 Jun 2026 14:07:23 +0200 jackson-databind (2.14.0+ds-1) unstable; urgency=medium * Team upload. * Use java_compat_level from /usr/share/java/java_defaults.mk to set the target compiled classes version. (Closes: #1088270) * Promote Standards-Version to 4.7.0 without changes. * Repack sources without newly excluded files and update configuration for importing new releases. -- Julien Plissonneau Duquène Tue, 26 Nov 2024 17:34:44 +0000 jackson-databind (2.14.0-1) unstable; urgency=medium * New upstream version 2.14.0. - Fix CVE-2022-42003: Resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. - Fix CVE-2022-42004: Resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization. * Declare compliance with Debian Policy 4.6.1. -- Markus Koschany Fri, 11 Nov 2022 23:19:39 +0100 jackson-databind (2.13.2.2-1) unstable; urgency=medium * New upstream version 2.13.2.2. - Fix CVE-2020-36518: Java StackOverflow exception and denial of service via a large depth of nested objects. (Closes: #1007109) Thanks to Neil Williams for the report. -- Markus Koschany Sat, 30 Apr 2022 14:05:08 +0200 jackson-databind (2.13.0-2) unstable; urgency=medium * Drop all doc packages from Build-Depends. * Update debian/watch. -- Markus Koschany Thu, 04 Nov 2021 10:28:57 +0100 jackson-databind (2.13.0-1) unstable; urgency=medium * New upstream version 2.13.0. -- Markus Koschany Fri, 22 Oct 2021 12:58:08 +0200 jackson-databind (2.12.5-1) unstable; urgency=medium * New upstream version 2.12.5. * Declare compliance with Debian Policy 4.6.0. -- Markus Koschany Tue, 07 Sep 2021 10:09:57 +0200 jackson-databind (2.12.1-1) unstable; urgency=medium * Team upload. * New upstream release - Refreshed the patch - Depend on libjackson2-annotations-java (>= 2.12.1) * Standards-Version updated to 4.5.1 -- Emmanuel Bourg Sun, 17 Jan 2021 23:46:32 +0100 jackson-databind (2.11.1-1) unstable; urgency=medium * New upstream version 2.11.1. - Exclude the javadocs from the source tarball because they require more than 500 MB disk space. - Fixes CVE-2020-9548, CVE-2020-9547, CVE-2020-9546, CVE-2020-8840, CVE-2020-14195, CVE-2020-14062, CVE-2020-14061, CVE-2020-14060, CVE-2020-11620, CVE-2020-11619, CVE-2020-11113, CVE-2020-11112, CVE-2020-11111, CVE-2020-10969, CVE-2020-10968, CVE-2020-10673, CVE-2020-10672. * Switch to debhelper-compat = 13. * Refresh base-pom.patch. * Remove README.source. -- Markus Koschany Thu, 09 Jul 2020 13:53:55 +0200 jackson-databind (2.10.2-1) unstable; urgency=medium * New upstream version 2.10.2. * Declare compliance with Debian Policy 4.5.0. -- Markus Koschany Sun, 16 Feb 2020 14:27:13 +0100 jackson-databind (2.10.1-1) unstable; urgency=medium * New upstream version 2.10.1. * Drop CVE-2019-16942-and-CVE-2019-16943.patch. Fixed upstream. -- Markus Koschany Sun, 15 Dec 2019 16:07:37 +0100 jackson-databind (2.10.0-2) unstable; urgency=high * Fix CVE-2019-16942 and CVE-2019-16943. Block two more gadget types (commons-dbcp, p6spy). (Closes: #941530) -- Markus Koschany Thu, 03 Oct 2019 15:48:58 +0200 jackson-databind (2.10.0-1) unstable; urgency=medium * Team upload. * New upstream version 2.10.0. -Fix CVE-2019-14540 and CVE-2019-16335: Polymorphic Typing issues. (Closes: #940498) Thanks to Salvatore Bonaccorso for the report. * Declare compliance with Debian Policy 4.4.1. * Update base-pom.patch for new release. * Remove Wolodja Wentland from Uploaders. Add myself to it. (Closes: #898140) -- Markus Koschany Sun, 29 Sep 2019 21:51:57 +0200 jackson-databind (2.9.9.3-1) unstable; urgency=medium * Team upload. * New upstream version 2.9.9.3. - Fix CVE-2019-14439 and CVE-2019-14379. Thanks to Salvatore Bonaccorso for the report. (Closes: #933393) * Drop all patches. These are all part of the latest upstream release. * Switch to debhelper-compat = 12. * Declare compliance with Debian Policy 4.4.0. -- Markus Koschany Tue, 13 Aug 2019 00:26:52 +0200 jackson-databind (2.9.8-3) unstable; urgency=medium * Team upload. * Fix CVE-2019-12814 and CVE-2019-12384: More Polymorphic Typing issues were discovered in jackson-databind. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x or logback-core jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server. (Closes: #930750) -- Markus Koschany Sat, 22 Jun 2019 00:28:48 +0200 jackson-databind (2.9.8-2) unstable; urgency=medium * Team upload. * Fix CVE-2019-12086: A Polymorphic Typing issue was discovered in jackson-databind. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation. (Closes: #929177) -- Markus Koschany Sat, 18 May 2019 20:31:28 +0200 jackson-databind (2.9.8-1) unstable; urgency=medium * Team upload. * New upstream release - Depend on libjackson2-core-java (>= 2.9.8) * Standards-Version updated to 4.3.0 * Use salsa.debian.org Vcs-* URLs -- Emmanuel Bourg Sun, 30 Dec 2018 11:03:14 +0100 jackson-databind (2.9.5-1) unstable; urgency=medium * Team upload. * New upstream version 2.9.5. - Fix CVE-2018-7489: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries. (Closes: #891614) * Remove --has-package-version flag. -- Markus Koschany Tue, 27 Mar 2018 17:36:36 +0200 jackson-databind (2.9.4-1) unstable; urgency=medium * Team upload. * New upstream version 2.9.4. - Fix CVE-2018-5968: bypass of deserialization blacklist related to CVE-2017-7525 and CVE-2017-17485. (Closes: #888316) - Fix CVE-2017-17485: unauthenticated remote code execution because of an incomplete fix for CVE-2017-7525. (Closes: #888318) * Use compat level 11. * Declare compliance with Debian Policy 4.1.3. -- Markus Koschany Thu, 25 Jan 2018 14:45:19 +0100 jackson-databind (2.9.1-1) unstable; urgency=medium * Team upload. * New upstream version 2.9.1. - Fixes CVE-2017-7525: Deserialization vulnerability via readValue method of ObjectMapper (Closes: #870848) - Builds fine with Java 9. (Closes: #875411) * Declare compliance with Debian Policy 4.1.1. * Tighten B-D on jackson-core and jackson-annotations. * Add libmaven-shade-plugin-java to B-D. -- Markus Koschany Thu, 12 Oct 2017 00:31:43 +0200 jackson-databind (2.8.6-1) unstable; urgency=medium * Team upload. * New upstream release -- Emmanuel Bourg Mon, 16 Jan 2017 01:49:15 +0100 jackson-databind (2.8.5-2) unstable; urgency=medium * Team upload. * Added the missing build dependency on build-helper-maven-plugin (Closes: #848734) * Use maven-replacer-plugin instead of debian/replace-generate.sh * Merged the Build-Depends-Indep field into Build-Depends -- Emmanuel Bourg Wed, 21 Dec 2016 00:12:35 +0100 jackson-databind (2.8.5-1) unstable; urgency=medium * Team upload. * New upstream release - Depend on libjackson2-{core,annotations}-java (>= 2.8.5) * Switch to debhelper level 10 -- Emmanuel Bourg Thu, 15 Dec 2016 15:56:57 +0100 jackson-databind (2.7.4-1) unstable; urgency=medium * Team upload. * New upstream release * Depend on groovy instead of groovy2 -- Emmanuel Bourg Fri, 13 May 2016 10:12:03 +0200 jackson-databind (2.7.3-1) unstable; urgency=medium * Team upload. * New upstream release - Refreshed the patch - Ignore the new test dependencies - Tightened the dependency on libjackson2-{core,annotations}-java - Removed the dependency on libcglib3-java * Standards-Version updated to 3.9.8 (no changes) * Use secure Vcs-* URLs -- Emmanuel Bourg Fri, 08 Apr 2016 15:10:22 +0200 jackson-databind (2.4.2-3) unstable; urgency=medium * Team upload. * Transition to Groovy 2 -- Emmanuel Bourg Fri, 20 Nov 2015 13:06:01 +0100 jackson-databind (2.4.2-2) unstable; urgency=medium * Team upload. * Build depend on libcglib3-java instead of libcglib-java * Standards-Version updated to 3.9.6 (no changes) * Removed the build dependency on libmaven-cobertura-plugin-java -- Emmanuel Bourg Mon, 29 Sep 2014 16:30:49 +0200 jackson-databind (2.4.2-1) unstable; urgency=medium * Team upload. * New upstream release. * ignoreRules: Ignore replacer. * ignoreRules: Ignore release plugin. * control: Add libmaven-bundle-plugin to build-deps. * fix-using-bundle.diff: Use extensions with bundle plugin. * maven.{publishedR,r}ules: Fix version mangling. * control: Bump dependency on -core and -annotations. * properties: Set encoding to UTF-8. * control: Add libmaven-cobertura-plugin-java to build-depends. -- Timo Aaltonen Wed, 24 Sep 2014 17:14:02 +0300 jackson-databind (2.2.2-2) unstable; urgency=low * Team upload. * Update Maven settings to use correct coordinates for Groovy 1.8.x. (Closes: #750267). * Bump Standards-Version to 3.9.5. No changes were required. -- Miguel Landaeta Mon, 26 May 2014 14:53:06 -0300 jackson-databind (2.2.2-1) unstable; urgency=low * Initial release. (Closes: #720504) -- Wolodja Wentland Thu, 22 Aug 2013 15:24:34 +0000