Debian Package Tracker

From: Markus Koschany <apo@debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted jackson-databind 2.9.8-2 (source) into unstable
Date: Sat, 18 May 2019 19:03:25 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 18 May 2019 20:31:28 +0200
Source: jackson-databind
Architecture: source
Version: 2.9.8-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Closes: 929177
Changes:
 jackson-databind (2.9.8-2) unstable; urgency=medium
 .
   * Team upload.
   * Fix CVE-2019-12086:
     A Polymorphic Typing issue was discovered in jackson-databind. When
     Default Typing is enabled (either globally or for a specific property) for
     an externally exposed JSON endpoint, the service has the
     mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an
     attacker can host a crafted MySQL server reachable by the victim, an
     attacker can send a crafted JSON message that allows them to read arbitrary
     local files on the server. This occurs because of missing
     com.mysql.cj.jdbc.admin.MiniAdmin validation. (Closes: #929177)
Checksums-Sha1:
 c13dc3920b11e340e9081f4c8df29cff6e911872 2679 jackson-databind_2.9.8-2.dsc
 8a50b57f35f4c0be11e86bfce69f165db7c5dce5 5216 jackson-databind_2.9.8-2.debian.tar.xz
 a9932dfc1be864be25c7cba97db94ac17dc2cb60 17509 jackson-databind_2.9.8-2_amd64.buildinfo
Checksums-Sha256:
 9278bb6b692204a40ad3883dac8b6824a74ea4d2424879bc06f1e58a005413c2 2679 jackson-databind_2.9.8-2.dsc
 f0a081e41a648b4a1758b104445138de7a4811a24a894cee225359ae15cfd4cf 5216 jackson-databind_2.9.8-2.debian.tar.xz
 701ac7a7394abf4b6ea06dc77a589251778aa13ff79e6df02f61691410da954f 17509 jackson-databind_2.9.8-2_amd64.buildinfo
Files:
 db750732df8f06d27c2c6593a2e4e7c8 2679 java optional jackson-databind_2.9.8-2.dsc
 8527c10639efc53df67d75d5d9c28a9f 5216 java optional jackson-databind_2.9.8-2.debian.tar.xz
 a7e1b5b95bb766498b794e907c63d3dd 17509 java optional jackson-databind_2.9.8-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlzgUeBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkTScP/0Z7ardXVY2FCIvWX7RKwnjw4565uv8LittD
6SCxAeT8x6TZohXwUmO21is0fFvuOh/h4msuAZ1CKc9tJK+jYgW6LbHBDh16rGO0
hIQDnqOE9bl9uKK1iaCBGyKf54/xtZlun93NOotfyD544gzN1Bo8ZDeOqvIOewkI
Pz0PAPAlhWBUcyRs9Owo6WijmHntGTtjAPgnnLA7MBPzAhKaqAWOBnuktnGvo1rB
UOb5QQLS2LVdUsVdpY0oZGvdefhNKU+JMpck0HUG6YKL4yXm7MI5e/UQPYt+uKSw
8s/T0728DUtzyhi58Iae8Zet6SVhDf1+jiprLyeGurB6ztXPTLB7t7ldTUrNvSp+
gQFU03Zvdc/LAxMSghUroeNOC2JiK7TARlhWvNkSYuOZe8e0y+P7Pf8z7QntAYtA
DyRO23+hJ7NfO3Ac6ELS3AtwOxoCFnlusJUp3HobfwALiXyO7vm7HsHw3qJPDWgw
WEbfo3pPnYdglEOOjTkWcxvQzHsWu6I2IwmhjPuCIM+pZArt6f7e3V+A4IFfN2SU
Q4QaEa8ZxnWglkxlIMKdyudFV2/YoXaaAVwNBwNAtXUbr3Inmat8eap8niDr3B9S
55KpRJ8vZIQHdEOIFplgKQDNbxRJytfCkaFyvBwCz1WDEbMKza+JPoj36MFYpyiZ
omUTjkPh
=CgSw
-----END PGP SIGNATURE-----
News for package jackson-databind
