jackson-core - Debian Package Tracker

general

source: jackson-core (main)
version: 2.14.1-1
maintainer: Debian Java Maintainers (archive) (DMD)
uploaders: Mechtilde Stehmann [DMD] – Markus Koschany [DMD]
arch: all
std-ver: 4.6.2
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 2.12.1-1
oldstable: 2.14.1-1
stable: 2.14.1-1
testing: 2.14.1-1
unstable: 2.14.1-1

versioned links

2.12.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
2.14.1-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libjackson2-core-java

action needed

A new upstream version is available: 2.20.0 high

A new upstream version 2.20.0 is available, you should consider packaging it.

Created: 2023-01-29 Last update: 2025-09-12 23:00

1 security issue in trixie high

There is 1 open security issue in trixie.

1 important issue:

CVE-2025-52999: jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources.

Created: 2025-06-26 Last update: 2025-08-10 06:32

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2025-52999: jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources.

Created: 2025-06-26 Last update: 2025-08-10 06:32

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

CVE-2025-52999: jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources.

Created: 2025-08-09 Last update: 2025-08-10 06:32

2 security issues in bullseye high

There are 2 open security issues in bullseye.

1 important issue:

CVE-2025-52999: jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources.

1 issue postponed or untriaged:

CVE-2025-49128: (postponed; to be fixed through a stable update) Jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. Starting in version 2.0.0 and prior to version 2.13.0, a flaw in jackson-core's `JsonLocation._appendSourceDesc` method allows up to 500 bytes of unintended memory content to be included in exception messages. When parsing JSON from a byte array with an offset and length, the exception message incorrectly reads from the beginning of the array instead of the logical payload start. This results in possible information disclosure in systems using pooled or reused buffers, like Netty or Vert.x. This issue was silently fixed in jackson-core version 2.13.0, released on September 30, 2021, via PR #652. All users should upgrade to version 2.13.0 or later. If upgrading is not immediately possible, applications can mitigate the issue by disabling exception message exposure to clients to avoid returning parsing exception messages in HTTP responses and/or disabling source inclusion in exceptions to prevent Jackson from embedding any source content in exception messages, avoiding leakage.

Created: 2025-06-26 Last update: 2025-08-10 06:32

1 security issue in bookworm high

There is 1 open security issue in bookworm.

1 important issue:

CVE-2025-52999: jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources.

Created: 2025-06-26 Last update: 2025-08-10 06:32

Multiarch hinter reports 1 issue(s) normal

There are issues with the multiarch metadata for this package.

libjackson2-core-java could be marked Multi-Arch: foreign

Created: 2016-09-14 Last update: 2025-09-12 22:34

5 open merge requests in Salsa normal

There are 5 open merge requests for this package on Salsa. You should consider reviewing and/or merging these merge requests.

Created: 2025-08-19 Last update: 2025-09-07 19:37

2 new commits since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit c0588686604c2ce3846ba94031df6d199075ff54
Merge: c0c3124 fdcd2f8
Author: Alexandre Detiste <alexandre.detiste@gmail.com>
Date:   Sun Sep 7 21:26:36 2025 +0200

    Merge branch 'multiarch-fixes' into 'master'
    
    Apply multi-arch hints
    
    See merge request java-team/jackson-core!1

commit fdcd2f84ff6d1bba9a5bf7bdd5de779c60a45c31
Author: Janitor <jelmer+janitor@jelmer.uk>
Date:   Sun Sep 7 19:26:36 2025 +0000

    Apply multi-arch hints

Created: 2025-09-07 Last update: 2025-09-07 19:37

lintian reports 1 warning normal

Lintian reports 1 warning about this package. You should make the package lintian clean getting rid of them.

Created: 2022-12-20 Last update: 2023-02-02 01:04

debian/patches: 1 patch to forward upstream low

Among the 2 debian patches available in version 2.14.1-1 of the package, we noticed the following issues:

1 patch where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2023-02-26 15:54

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.6.2).

Created: 2024-04-07 Last update: 2025-02-27 13:24

news

[rss feed]

[2022-12-25] jackson-core 2.14.1-1 MIGRATED to testing (Debian testing watch)
[2022-12-19] Accepted jackson-core 2.14.1-1 (source) into unstable (Emmanuel Bourg)
[2022-11-17] jackson-core 2.14.0-2 MIGRATED to testing (Debian testing watch)
[2022-11-12] Accepted jackson-core 2.14.0-2 (source) into unstable (Markus Koschany)
[2022-11-12] Accepted jackson-core 2.14.0-1 (source) into unstable (Markus Koschany)
[2021-11-09] jackson-core 2.13.0-2 MIGRATED to testing (Debian testing watch)
[2021-11-04] Accepted jackson-core 2.13.0-2 (source) into unstable (Markus Koschany)
[2021-10-22] Accepted jackson-core 2.13.0-1 (source) into unstable (Markus Koschany)
[2021-01-22] jackson-core 2.12.1-1 MIGRATED to testing (Debian testing watch)
[2021-01-16] Accepted jackson-core 2.12.1-1 (source) into unstable (Emmanuel Bourg)
[2020-12-31] jackson-core 2.12.0-1 MIGRATED to testing (Debian testing watch)
[2020-12-26] Accepted jackson-core 2.12.0-1 (source) into unstable (Mechtilde Stehmann)
[2020-11-13] jackson-core 2.11.3-1 MIGRATED to testing (Debian testing watch)
[2020-11-08] Accepted jackson-core 2.11.3-1 (source) into unstable (Mechtilde Stehmann)
[2020-03-13] jackson-core 2.10.3-1 MIGRATED to testing (Debian testing watch)
[2020-03-08] Accepted jackson-core 2.10.3-1 (source) into unstable (Mechtilde Stehmann)
[2019-12-29] jackson-core 2.10.1-1 MIGRATED to testing (Debian testing watch)
[2019-12-23] Accepted jackson-core 2.10.1-1 (source) into unstable (Mechtilde Stehmann)
[2019-10-04] jackson-core 2.10.0-1 MIGRATED to testing (Debian testing watch)
[2019-09-28] Accepted jackson-core 2.10.0-1 (source) into unstable (Mechtilde Stehmann)
[2019-09-15] Accepted jackson-core 2.9.9-1 (source all) into unstable (Mechtilde Stehmann)
[2019-01-04] jackson-core 2.9.8-3 MIGRATED to testing (Debian testing watch)
[2018-12-29] Accepted jackson-core 2.9.8-3 (source) into unstable (Emmanuel Bourg)
[2018-12-29] Accepted jackson-core 2.9.8-2 (source) into unstable (Emmanuel Bourg)
[2018-12-28] Accepted jackson-core 2.9.8-1 (source) into unstable (Emmanuel Bourg)
[2018-01-31] jackson-core 2.9.4-1 MIGRATED to testing (Debian testing watch)
[2018-01-25] Accepted jackson-core 2.9.4-1 (source) into unstable (Markus Koschany)
[2017-10-17] jackson-core 2.9.1-1 MIGRATED to testing (Debian testing watch)
[2017-10-11] Accepted jackson-core 2.9.1-1 (source) into unstable (Markus Koschany)
[2017-01-26] jackson-core 2.8.6-1 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 1
RC: 0
I&N: 1
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (0, 1)
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
debian patches

ubuntu

[Information about Ubuntu for Debian Developers]

version: 2.14.1-1