Debian Package Tracker

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: <dispatch@tracker.debian.org> , <debian-lts-changes@lists.debian.org>
Subject: Accepted jackson-databind 2.9.8-3+deb10u4 (source) into oldstable
Date: Sun, 27 Nov 2022 18:20:22 +0000
Signed by: Markus Koschany <apo@debian.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 27 Nov 2022 19:01:36 CET
Source: jackson-databind
Architecture: source
Version: 2.9.8-3+deb10u4
Distribution: buster-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Checksums-Sha1:
 d43ae0efba911bbc88f706286d278c7a9f7de6e5 2714 jackson-databind_2.9.8-3+deb10u4.dsc
 53c0a3f176d399947956ce8cba5ba5bde4305e4f 14092 jackson-databind_2.9.8-3+deb10u4.debian.tar.xz
 73ef03dfef980cb9a397d0aa91d8424c36235473 17351 jackson-databind_2.9.8-3+deb10u4_amd64.buildinfo
Checksums-Sha256:
 18f341fee2e63ba4e06261dd352a5d54fdcf405b1f322ba87e38fe62c644b12c 2714 jackson-databind_2.9.8-3+deb10u4.dsc
 1ae1a33b2a80e4374368ce888136ae16a3103898de24243e902cf49dc07565c7 14092 jackson-databind_2.9.8-3+deb10u4.debian.tar.xz
 09f1d9a1f5b78b60d267931095170b079eff5a09a5f868dc5f452c70889dafee 17351 jackson-databind_2.9.8-3+deb10u4_amd64.buildinfo
Changes:
 jackson-databind (2.9.8-3+deb10u4) buster-security; urgency=high
 .
   * Team upload.
   * Fix CVE-2022-42003:
     In FasterXML jackson-databind resource exhaustion can
     occur because of a lack of a check in primitive value deserializers to
     avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS
     feature is enabled.
   * Fix CVE-2022-42004:
     In FasterXML jackson-databind resource exhaustion can occur because of a
     lack of a check in BeanDeserializerBase.deserializeFromArray to prevent use of
     deeply nested arrays. An application is vulnerable only with certain
     customized choices for deserialization.
   * Fix CVE-2020-36518:
     Java StackOverflow exception and denial of service via a large depth of
     nested objects.
Files:
 28bed2f88a2dcc91ddd3ea7ae5c55348 2714 java optional jackson-databind_2.9.8-3+deb10u4.dsc
 7167fa0f66c8732fd2b1ebc1627cce17 14092 java optional jackson-databind_2.9.8-3+deb10u4.debian.tar.xz
 c0f442c7bb498fa8f905d7ee1de71a5a 17351 java optional jackson-databind_2.9.8-3+deb10u4_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmODpgRfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkM3gP/13aF+dDENq6lrcxViRQnlUqDwaI5eQFF/kl
gAP9UGeJ0uPvNqHiTBsNwGfoWV3su0FfEvEk7KJ3v/LV0BOVIXn3/3LID3XehtMO
Lwgj3qqg1ac6fx31cUIHSnHbq6IovZiCZl/0wJ/zcGh3TUosZpOFrVUWsMVeAu2r
34TIpLs7e3NJOOzIMos6TKzKr8wtoybbapYqYdWifkXmRE9/X9pAD8xCAuBkQtXC
f37qh2Oly7Ph1mcJdXg/rjmeBIgk7vO/Y2flupMvQrdgw7Dg2SBxwp9afVGK/VEh
QVCEexhpUywuVp34uiWD6TcOYXzN/DbJm9MFpcRlCNFK7NoDlsDln9MUnwb/nUn5
oJDMax/c9Rq0mlKfEXWL3AnH5DX2FxYDvuKCCpYo+CELb23VeSRVA6kBrPrG4afh
dJPoJlX/Pzxb/Bex0EcDYJpBrM9yAdS1dBpiGRDOrrutRms4036U1tgw7w0+MkZr
vlDK8PgcL60AbZhDVGVRvaMwnaoc0+mYDFxSo8ccsZpb27kz0H2lk+pBEEXADl4g
mz0VJqk8gF5svPhhHA2/TPGYK3rv2M/xsCt4mGk2yhCnCiB7UyapHToR88AHvchU
lIuCp5k9WnpXORI6Ku/887xcHQYVYFkiT2adEowgys2mNE7hk+A1PO6FazFQ/iWa
smYzh8DT
=z2bf
-----END PGP SIGNATURE-----

News for package jackson-databind