Debian Package Tracker

From: Markus Koschany <apo@debian.org>
To: <debian-devel-changes@lists.debian.org>
Subject: Accepted jackson-databind 2.9.8-3 (source) into unstable
Date: Fri, 21 Jun 2019 23:20:03 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 22 Jun 2019 00:28:48 +0200
Source: jackson-databind
Architecture: source
Version: 2.9.8-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Closes: 930750
Changes:
 jackson-databind (2.9.8-3) unstable; urgency=medium
 .
   * Team upload.
   * Fix CVE-2019-12814 and CVE-2019-12384:
     More Polymorphic Typing issues were discovered in jackson-databind. When
     Default Typing is enabled (either globally or for a specific property) for
     an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x or
     logback-core jar in the classpath, an attacker can send a specifically
     crafted JSON message that allows them to read arbitrary local files on the
     server. (Closes: #930750)
Checksums-Sha1:
 a74b7dbaa7c97126f29a8a594cdc82835f41d84c 2679 jackson-databind_2.9.8-3.dsc
 fca576cf5ece46791d38f5a04eee6c9e6507d823 5580 jackson-databind_2.9.8-3.debian.tar.xz
 6024e37037d977a4b511c4b59e7124ef098df15d 17597 jackson-databind_2.9.8-3_amd64.buildinfo
Checksums-Sha256:
 3c665283c212204ccc57dd4173f3387905f05382b08ebe9c2f32fccbce058f2f 2679 jackson-databind_2.9.8-3.dsc
 bf18b8579ec4eb3f4a38fbb27b719ea4598f507aa7be0ff2977dbb8feb05dac4 5580 jackson-databind_2.9.8-3.debian.tar.xz
 ecec131838c3a09a2881ab4b778284494d8b67321863ba4fe3472fe374563540 17597 jackson-databind_2.9.8-3_amd64.buildinfo
Files:
 46151556b971474c3cb2a4f4607d9571 2679 java optional jackson-databind_2.9.8-3.dsc
 ffe08ef14a4fe96ff617ad9e97c545ae 5580 java optional jackson-databind_2.9.8-3.debian.tar.xz
 a61fa98f99ed7e4565e9f46eccf61692 17597 java optional jackson-databind_2.9.8-3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl0NXeFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkkrgQAK+yREzk5E9hMh/rL3aMbpDk3ff1ffnbJyGg
YB/r86a3MkJx5WiFBLFVpql2B8lXUMy0ls190kJx4GBe7xbqzFmTNsQcvLHoVSwy
iA2SKdksOCNE0Yp0fUoxmopWGz6Dv899P27gpo7ioufO0+WHC4HI1ERB8tbT6fk+
G7XjK+jsTasrbzt75f0/t8zg0zw79dUtC9HGpQKpYWoehw9NJ4BKixJTvnNRRH1B
dd08cmyAsjTAlRTiy3OU7OzPjN/sMAUvf2Jwhi0qcWaWldDwnZia2fmNDFYf1g0/
yEx681jgbq7PdqnlCB2q9g4wtl2Wj8Fb2l04U0xGIJoH9OnoM2h4FpLaJsJ48aLO
rAdIasT8bOUcO72UI8RCQyphM8cbSqmrAeeM5QYXr4VhqWglCrmDSYD3E8+wGo6E
eKAy3jyjfSu4KoD/SSLyfrnGnQ6/BRQJnKszWx/Mnv/7A03kvvSMy2zkZe96v7Ti
OjMDZQWKtO3SAB9WZXYdfvLxte/cqyytqwarfI6CGUHygybE7sNhyshPXkVfJVX1
8G04ECYn+fmsUqW7GP0y2P4bwnd1w0rifItJ7HLq8J86mnLwe5xMz64mVUfH0QW+
lwSsRcAsuP1kRu3T/YbULDnzBAX6eTeCumYngTaJsBcANrthMMYUZ5j9whAeH9WL
XbeR7uHX
=6iy5
-----END PGP SIGNATURE-----
News for package jackson-databind
