Debian Package Tracker

From: Markus Koschany <apo@debian.org>
To: <dispatch@tracker.debian.org> , <debian-lts-changes@lists.debian.org>
Subject: Accepted jackson-databind 2.4.2-2+deb8u10 (source all) into oldoldstable
Date: Tue, 10 Dec 2019 17:20:19 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 10 Dec 2019 17:15:09 +0100
Source: jackson-databind
Binary: libjackson2-databind-java libjackson2-databind-java-doc
Architecture: source all
Version: 2.4.2-2+deb8u10
Distribution: jessie-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
 libjackson2-databind-java - fast and powerful JSON library for Java -- data binding
 libjackson2-databind-java-doc - Documentation for jackson-databind
Changes:
 jackson-databind (2.4.2-2+deb8u10) jessie-security; urgency=high
 .
   * Non-maintainer upload by the LTS team.
   * Fix CVE-2019-17267 and CVE-2019-17531.
     More deserialization flaws were discovered in jackson-databind relating to
     the classes in net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup
     and org.apache.log4j.receivers.db which could allow an unauthenticated user
     to perform remote code execution. The issue was resolved by extending the
     blacklist and blocking more classes from polymorphic deserialization.
Checksums-Sha1:
 6b5435eb39768a9d7c10ea20ca155a4092574e4a 2695 jackson-databind_2.4.2-2+deb8u10.dsc
 4deebdba2384fe219cf9130e0bf30fa1e4e99d8c 12312 jackson-databind_2.4.2-2+deb8u10.debian.tar.xz
 c5da2f5668ece4fb2eff90fb7431c44c93039ace 987906 libjackson2-databind-java_2.4.2-2+deb8u10_all.deb
 5c5eeedf108d2a7a4fc759ad9a960772c2748d07 4738920 libjackson2-databind-java-doc_2.4.2-2+deb8u10_all.deb
Checksums-Sha256:
 19ad8b64ff5096a0d0fd7a1392a48bd00c81b71a0ba43d379304ee65f013449b 2695 jackson-databind_2.4.2-2+deb8u10.dsc
 dd7a6aa0fc83c364e1923435f30753e857c97e09f1aff35bba0367977243c0be 12312 jackson-databind_2.4.2-2+deb8u10.debian.tar.xz
 43bb7a895bed5308aa8dc170ef47ae075b74194b91c95df222aa05e569b8b62f 987906 libjackson2-databind-java_2.4.2-2+deb8u10_all.deb
 0b9718fc182221b95d27e06553c829e84097a021a38f6567cb446dc184ecd7c6 4738920 libjackson2-databind-java-doc_2.4.2-2+deb8u10_all.deb
Files:
 63a030178c3a376bcb179b1dc9aa8088 2695 java optional jackson-databind_2.4.2-2+deb8u10.dsc
 c899724e6c5623c831a8c8c48c13277b 12312 java optional jackson-databind_2.4.2-2+deb8u10.debian.tar.xz
 ecf9e7c28188db7c05ef59d3c1b4546d 987906 java optional libjackson2-databind-java_2.4.2-2+deb8u10_all.deb
 47c3069a716700fd5e7adbca0a1c2d78 4738920 doc optional libjackson2-databind-java-doc_2.4.2-2+deb8u10_all.deb

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl3vzxRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkTHQQAJTvKyOjvX8glPBSAbVS4NLUdiEeY1bD3f/f
LON0t9QUNaDoA2lAdhCRQ0dSSkAqPGUEImywvPGQDg5bxm7+4BDt4ck6a7fuO91h
3dGt4xvlCIcqlqCzJzoiXbFMGZMqSjuVo5dCsXCPJT3vXVrUQDDT3LXxGfxzD+WR
rtX/kd5QgbNg1p6hOwPDIfsAGkaBFxzjSnz3aqFwzOpAbqkKK3Px8b+EFiqmLuWq
HvucGNTZq1I9wpInrgbw4ncfSFzdlRK+neNacgFjjxlsxdZmg7vKALeU5ssaf8ij
RR0lXO16MSM25HnZJKrzf7CBmmOLwk1FjK5Hg1L8FpLTm/gTjlFNNokmlgL0uPV6
f99S/CGI8WImUFe6wu3fCjQnCXjj+oHISFvqfMKcij4OMIbCpS/q1O4UbXKavxvK
QPUHvHo2620KeDNneebYlJEZutToAt5OvEXRkaqZEAeISgeZqfGJTxnsh/LgijBL
YJVYZyjsxni+cuFepVCUpO0Xmq16abm31ygDwZ/rhnjAMnW/xzkElfVwv2BhNmnI
uSp3ByjtOEApOFi4c3SzLohzJVxSTBer+23svZDwB0AyeBmIcvXz3a8z6s6Pto5h
JaTWLPm9DUKEZq1Z57cyQutIz8r83T9sEV56wxkcuASeIfGBKG6iasSOKpftguOw
U3qLdd/d
=p/Pe
-----END PGP SIGNATURE-----
News for package jackson-databind
