-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 19 May 2019 00:04:32 +0200 Source: jackson-databind Binary: libjackson2-databind-java libjackson2-databind-java-doc Architecture: source all Version: 2.8.6-1+deb9u5 Distribution: stretch-security Urgency: high Maintainer: Debian Java Maintainers Changed-By: Markus Koschany Description: libjackson2-databind-java - fast and powerful JSON library for Java -- data binding libjackson2-databind-java-doc - Documentation for jackson-databind Changes: jackson-databind (2.8.6-1+deb9u5) stretch-security; urgency=high . * Team upload. * Fix CVE-2018-11307, CVE-2018-12022, CVE-2018-12023, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, CVE-2018-14721, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362 and CVE-2019-12086. Several deserialization flaws were discovered in jackson-databind which could allow an unauthenticated user to perform code execution. The issue was resolved by extending the blacklist and blocking more classes from polymorphic deserialization. Checksums-Sha1: e45494a159250666646a5dbb61ead28153039472 2694 jackson-databind_2.8.6-1+deb9u5.dsc e0be7dc91d1b0eef2806f9be1132b7ff22646aae 9908 jackson-databind_2.8.6-1+deb9u5.debian.tar.xz f12080ee420fcdf85bb04ba1831a61f88f9fa623 16865 jackson-databind_2.8.6-1+deb9u5_amd64.buildinfo 9525b80f9058aaafb2fd4668491646aaf7094d53 1229300 libjackson2-databind-java-doc_2.8.6-1+deb9u5_all.deb 1d71cbb88dbf82d7dba3b8cf6acbe7de5d2302dd 1155458 libjackson2-databind-java_2.8.6-1+deb9u5_all.deb Checksums-Sha256: d3df7ab6811e670d4ebb81c366e69e6bcf1c0a30b04f2b7c11d96a42ec3a51ae 2694 jackson-databind_2.8.6-1+deb9u5.dsc ea39271b1dc98bbded4bab39d5aeef4e722670edc66718154d4a0aeb451e35a0 9908 jackson-databind_2.8.6-1+deb9u5.debian.tar.xz ce8c0f218012a82bae8f44413fd1459fb9603f747441f4155210e178785e0fc4 16865 jackson-databind_2.8.6-1+deb9u5_amd64.buildinfo 1b544a146a196233a5c83f3e923d4feb502a8b11999f939c7f8a598b101cb768 1229300 libjackson2-databind-java-doc_2.8.6-1+deb9u5_all.deb 6cb7d9aefc2740b8b41792e8773ee65a34abaa52c0a0e924bfa2c8ef9ccaf748 1155458 libjackson2-databind-java_2.8.6-1+deb9u5_all.deb Files: 70f43a206f98bfc3a0d9fe31b437b9c7 2694 java optional jackson-databind_2.8.6-1+deb9u5.dsc fc5153c59ba148dbcdae4c84a266e6b1 9908 java optional jackson-databind_2.8.6-1+deb9u5.debian.tar.xz 52a749c748b43e1ed4449225b6ec6632 16865 java optional jackson-databind_2.8.6-1+deb9u5_amd64.buildinfo 5c16298a503aff86601b16bab802a6d4 1229300 doc optional libjackson2-databind-java-doc_2.8.6-1+deb9u5_all.deb 5b3de48ded88b320f4dfab7d85141a11 1155458 java optional libjackson2-databind-java_2.8.6-1+deb9u5_all.deb -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlzm3t9fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HksrgP/RXl+UO5wkQwXTKjjKxqqie7w0sFuYtjbq/8 A3CTviqJsqo2jeuL1lBOgcYKNH4ePRBXgRmp/BW7gqa7FOTnqA21H/fRhlEelrZT Us0TwfhucG84dra5Mm5fT3umqPsho8DsBNmO1n4WMvqsjBX/UOGasLLSfbEXMOwO //vD7EdAZSapxuXD0tAb01NJ0Yhic3gnEkgaenK9X/i+W6KE5tikhYGqBrtfsp4V oWnMsZGWCee3/zlbZcxroUFAWwkLKZh37JxtbRKTGqcDgi3cDsDStkgMs/Pi6rAA EMQ4vy7+zaIbiAk30nfnmjgt+VF74BzLvnRrs0aGOO6TDfPtFc+ZgI7Dc1Zf1Gu2 dXW3K5EjppvjbESwaBo5x4+eCdzf85sIrxVSxTd2cyOOkSFfiGfVBsN3+ofP9GyY C1i9eBnn97HfWPnnd33VSXK5te19Pl8JuNOPIkfCa9XU/PKBOWgDEMAisyzcOTVZ Ch7n32n8E8fLNS9g/g/hyFF1DtuMhn/Fb5v+iZuDfsEUKAJ0Q0OYPq+BGw9ICcxB M9ha86vYHgw5Ydf8t8xhTjEL8KjLaWzp+dP8O4falhnq6cFJW9Xi4KsQWc/yu+XR TFsDlDUVcbc0PVVr48vvLc66wLgQgIcPZ9fbd+bpuatlR9slWoXRv8HeJFps45fx hVmPHmJn =nycP -----END PGP SIGNATURE-----