jackson-databind (2.4.2-2+deb8u15) jessie-security; urgency=high * Non-maintainer upload by the LTS team. * Add patch to fix - CVE-2020-14060: Block one more gadget type (apache-drill) - CVE-2020-14061: Block one more gadget type (weblogic/oracle-aqjms) - CVE-2020-14062: Block one more gadget type (xalan2) - CVE-2020-14195: Block one more gadget type (org.jsecurity) -- Utkarsh Gupta Wed, 01 Jul 2020 15:28:40 +0530 jackson-databind (2.4.2-2+deb8u14) jessie-security; urgency=high * Non-maintainer upload by the LTS team. * Add patch to fix: - CVE-2020-10968: Block one more gadget type (bus-proxy) - CVE-2020-10969: Block one more gadget type (javax.swing) - CVE-2020-11111: Block one more gadget type (activemq) - CVE-2020-11112: Block one more gadget type (apache/commons-proxy) - CVE-2020-11113: Block one more gadget type (openjpa) - CVE-2020-11619: Block one more gadget type (spring-aop) - CVE-2020-11920: Block one more gadget type (commons-jelly) -- Utkarsh Gupta Fri, 17 Apr 2020 18:16:25 +0530 jackson-databind (2.4.2-2+deb8u13) jessie-security; urgency=high * Non-maintainer upload by the LTS team. * Add patch to fix: - CVE-2020-10672: Block one more gadget type (aries.transaction.jms). - CVE-2020-10673: Block one more gadget type (caucho-quercus). -- Utkarsh Gupta Sun, 22 Mar 2020 04:34:20 +0530 jackson-databind (2.4.2-2+deb8u12) jessie-security; urgency=high * Non-maintainer upload by the LTS team. * Add patch to fix: - CVE-2020-9546: Block one more gadget type (shaded-hikari-config). - CVE-2020-9547 & CVE-2020-9548: Block two more gadget types (ibatis-sqlmap, anteros-core). -- Utkarsh Gupta Fri, 06 Mar 2020 01:39:43 +0530 jackson-databind (2.4.2-2+deb8u11) jessie-security; urgency=medium * Non-maintainer upload by the LTS team. * CVE-2019-20330, CVE-2020-8840: block more classes to prevent RCE attacks when deserializing objects from untrusted users. -- Emilio Pozuelo Monfort Thu, 20 Feb 2020 11:53:00 +0100 jackson-databind (2.4.2-2+deb8u10) jessie-security; urgency=high * Non-maintainer upload by the LTS team. * Fix CVE-2019-17267 and CVE-2019-17531. More deserialization flaws were discovered in jackson-databind relating to the classes in net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup and org.apache.log4j.receivers.db which could allow an unauthenticated user to perform remote code execution. The issue was resolved by extending the blacklist and blocking more classes from polymorphic deserialization. -- Markus Koschany Tue, 10 Dec 2019 17:15:09 +0100 jackson-databind (2.4.2-2+deb8u9) jessie-security; urgency=high * Non-maintainer upload by the LTS team. * Fix CVE-2019-14540, CVE-2019-16335, CVE-2019-16942 and CVE-2019-16943. Deserialization flaws were discovered in jackson-databind relating to com.zaxxer.hikari.HikariConfig, com.zaxxer.hikari.HikariDataSource, commons-dbcp and com.p6spy.engine.spy.P6DataSource, which could allow an unauthenticated user to perform remote code execution. The issue was resolved by extending the blacklist and blocking more classes from polymorphic deserialization. -- Markus Koschany Wed, 02 Oct 2019 21:36:21 +0200 jackson-databind (2.4.2-2+deb8u8) jessie-security; urgency=high * Non-maintainer upload by the LTS team. * Fix CVE-2019-14379, CVE-2019-14439: Deserialization flaws were discovered in jackson-databind relating to EHCache and logback/jndi, which could allow an unauthenticated user to perform remote code execution. The issue was resolved by extending the blacklist and blocking more classes from polymorphic deserialization. (Closes: #933393) -- Roberto C. Sanchez Mon, 12 Aug 2019 17:40:56 -0400 jackson-databind (2.4.2-2+deb8u7) jessie-security; urgency=high * Non-maintainer upload by the LTS team. * More Polymorphic Typing issues were discovered in jackson-databind. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x or logback-core jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server. -- Markus Koschany Fri, 21 Jun 2019 14:16:32 +0200 jackson-databind (2.4.2-2+deb8u6) jessie-security; urgency=high * Non-maintainer upload by the LTS team. * Fix CVE-2019-12086: A Polymorphic Typing issue was discovered in jackson-databind. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation. -- Markus Koschany Mon, 20 May 2019 22:39:35 +0200 jackson-databind (2.4.2-2+deb8u5) jessie-security; urgency=high * Non-maintainer upload by the LTS team. * Fix CVE-2018-11307, CVE-2018-12022, CVE-2018-12023, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, CVE-2018-14721, CVE-2018-19360, CVE-2018-19361 and CVE-2018-19362. Several deserialization flaws were discovered in jackson-databind which could allow an unauthenticated user to perform code execution. The issue was resolved by extending the blacklist and blocking more classes from polymorphic deserialization. -- Markus Koschany Mon, 04 Mar 2019 10:30:09 +0100 jackson-databind (2.4.2-2+deb8u4) jessie-security; urgency=high * Team upload. * Fix CVE-2018-7489: allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath. (Closes: #891614) -- Markus Koschany Tue, 01 May 2018 19:20:38 +0200 jackson-databind (2.4.2-2+deb8u3) jessie-security; urgency=high * Team upload. * Fix CVE-2017-17485 and CVE-2018-5968: Bybass of deserialization blackist to disallow unauthenticated remote code execution. These CVE exist due to an incomplete fix for CVE-2017-7525. (Closes: #888316, #888318) -- Markus Koschany Sat, 27 Jan 2018 19:37:47 +0100 jackson-databind (2.4.2-2+deb8u2) jessie-security; urgency=high * Team upload * CVE-2017-15095: incomplete fixes for CVE-2017-7525 -- Sebastien Delafond Thu, 16 Nov 2017 09:13:27 +0100 jackson-databind (2.4.2-2+deb8u1) jessie-security; urgency=high * Team upload. * Fix CVE-2017-7525: Deserialization vulnerability via readValue method of ObjectMapper. (Closes: #870848) -- Markus Koschany Thu, 19 Oct 2017 01:44:42 +0200 jackson-databind (2.4.2-2) unstable; urgency=medium * Team upload. * Build depend on libcglib3-java instead of libcglib-java * Standards-Version updated to 3.9.6 (no changes) * Removed the build dependency on libmaven-cobertura-plugin-java -- Emmanuel Bourg Mon, 29 Sep 2014 16:30:49 +0200 jackson-databind (2.4.2-1) unstable; urgency=medium * Team upload. * New upstream release. * ignoreRules: Ignore replacer. * ignoreRules: Ignore release plugin. * control: Add libmaven-bundle-plugin to build-deps. * fix-using-bundle.diff: Use extensions with bundle plugin. * maven.{publishedR,r}ules: Fix version mangling. * control: Bump dependency on -core and -annotations. * properties: Set encoding to UTF-8. * control: Add libmaven-cobertura-plugin-java to build-depends. -- Timo Aaltonen Wed, 24 Sep 2014 17:14:02 +0300 jackson-databind (2.2.2-2) unstable; urgency=low * Team upload. * Update Maven settings to use correct coordinates for Groovy 1.8.x. (Closes: #750267). * Bump Standards-Version to 3.9.5. No changes were required. -- Miguel Landaeta Mon, 26 May 2014 14:53:06 -0300 jackson-databind (2.2.2-1) unstable; urgency=low * Initial release. (Closes: #720504) -- Wolodja Wentland Thu, 22 Aug 2013 15:24:34 +0000