-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 02 Oct 2019 21:36:21 +0200 Source: jackson-databind Binary: libjackson2-databind-java libjackson2-databind-java-doc Architecture: source all Version: 2.4.2-2+deb8u9 Distribution: jessie-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Markus Koschany <apo@debian.org> Description: libjackson2-databind-java - fast and powerful JSON library for Java -- data binding libjackson2-databind-java-doc - Documentation for jackson-databind Changes: jackson-databind (2.4.2-2+deb8u9) jessie-security; urgency=high . * Non-maintainer upload by the LTS team. * Fix CVE-2019-14540, CVE-2019-16335, CVE-2019-16942 and CVE-2019-16943. Deserialization flaws were discovered in jackson-databind relating to com.zaxxer.hikari.HikariConfig, com.zaxxer.hikari.HikariDataSource, commons-dbcp and com.p6spy.engine.spy.P6DataSource, which could allow an unauthenticated user to perform remote code execution. The issue was resolved by extending the blacklist and blocking more classes from polymorphic deserialization. Checksums-Sha1: a006955a518980e131a1d9a5d8063e833df23e10 2691 jackson-databind_2.4.2-2+deb8u9.dsc 7fceb674852fbd91daec6f878e409eeb8f617474 12036 jackson-databind_2.4.2-2+deb8u9.debian.tar.xz 84974bde19f0edfecd5b5351b20e71c32b784b6b 987756 libjackson2-databind-java_2.4.2-2+deb8u9_all.deb fa0f054ee5e220c95d232d3e2e435312bc4c6ab0 4743850 libjackson2-databind-java-doc_2.4.2-2+deb8u9_all.deb Checksums-Sha256: f7a05cc38f9ee4d9778e8c7aa4d7cbeb1824387849bea588f1f62625110170fe 2691 jackson-databind_2.4.2-2+deb8u9.dsc f5b9374cf02b2c19411275cbad2f669271e1eeed10eea868df133554e92c07e1 12036 jackson-databind_2.4.2-2+deb8u9.debian.tar.xz 43af9463c6b0bcf20d2944bf088a3b9b609c0f2f80d82d6a140e66100914289d 987756 libjackson2-databind-java_2.4.2-2+deb8u9_all.deb 64311ce46e1e5e9e068a5e685d68f55863b475bd83d141a6d9cfb1c698d592cd 4743850 libjackson2-databind-java-doc_2.4.2-2+deb8u9_all.deb Files: 4ffc12233765570d3d2ca979fd86bd1f 2691 java optional jackson-databind_2.4.2-2+deb8u9.dsc 92fddfbe7726055ec0a2c0ce66943762 12036 java optional jackson-databind_2.4.2-2+deb8u9.debian.tar.xz e0c42e490609be5e452effc14e29098b 987756 java optional libjackson2-databind-java_2.4.2-2+deb8u9_all.deb 753cc52f350a7f18edcf258987e1a12e 4743850 doc optional libjackson2-databind-java-doc_2.4.2-2+deb8u9_all.deb -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl2VEehfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HktgoP/2NT5QL8X1H3d++fbLuVT8mNSKzh5p8Ygynf jIW3DFt/YGnw0h7XI8mGy23zX+ZSolUIBR2bVy0/Ybj8+8FY/0QW9txfldF5/ZeL JdyLkNYB+m1AX3VBWJP/0vvMztis+J99couYjcDJ5hRFgW2Q7j6oGqy1GiLNlBZK 4eKq2ju0Jz3ZQO4byMdHx0+qP6NjSxvQlmizOmycE0EnUb3W2FenFR6FyWwmvZlX ulwqFx4amUQJRqjlCLZrLACiVcKaXpFfcRrCj2+Og335R4m6JgSdFR65uvlKfMzg qKeA65VNtBUyZ9WvXgqCpGW1McsFFICkRaE/QLFXewJmRi7WZDfE9l4ELGMlLPq+ hxw4r/KcV7jocQLFE/+EWSC3VbmJjEe1JdfTE0Uv9UUBd2cXLOW3ps0uIHgeOL+x CRLHXqB+sRD21EMeDRG/YjVzCqcV6JRtpKHTTqOtJ0vR+XCa6I3ZHgtoLu4LCOfD B9nEzaC8DrtW9ba9kh2dMODspH0pyGRFykpJYccPa7nrSPbPdbnG/Qksrf7ojs0/ Hp6JNIvsOSn+7IyJlqqcBTrqiOML6H7KhnGirHAEEy9SeZKdOEZqxZ+crNwbJGCw stdVMgFAP7l3IH16YUyde+bGZLp3VgHiBeaPQ+AGDmzFCbmoWNKMMEtUr08feAJR nmfXny4T =4QEu -----END PGP SIGNATURE-----
