[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Accepted jackson-databind 2.4.2-2+deb8u6 (source all) into oldstable

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 20 May 2019 22:39:35 +0200
Source: jackson-databind
Binary: libjackson2-databind-java libjackson2-databind-java-doc
Architecture: source all
Version: 2.4.2-2+deb8u6
Distribution: jessie-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
 libjackson2-databind-java - fast and powerful JSON library for Java -- data binding
 libjackson2-databind-java-doc - Documentation for jackson-databind
Changes:
 jackson-databind (2.4.2-2+deb8u6) jessie-security; urgency=high
 .
   * Non-maintainer upload by the LTS team.
   * Fix CVE-2019-12086:
     A Polymorphic Typing issue was discovered in jackson-databind.
     When Default Typing is enabled (either globally or for a specific property)
     for an externally exposed JSON endpoint, the service has the
     mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an
     attacker can host a crafted MySQL server reachable by the victim, an
     attacker can send a crafted JSON message that allows them to read arbitrary
     local files on the server. This occurs because of missing
     com.mysql.cj.jdbc.admin.MiniAdmin validation.
Checksums-Sha1:
 8e465473f5f1fc5b2b2d91651c6f72b3056f383b 2691 jackson-databind_2.4.2-2+deb8u6.dsc
 a773ccd3155897ff4fb514c06775d7ffa0d52abb 10676 jackson-databind_2.4.2-2+deb8u6.debian.tar.xz
 4ea2f0830049bb5cf14205f30c204fb444e8d2bc 987274 libjackson2-databind-java_2.4.2-2+deb8u6_all.deb
 6d05b3d963869cc142c43708e23036cb030be264 4742874 libjackson2-databind-java-doc_2.4.2-2+deb8u6_all.deb
Checksums-Sha256:
 b9257c0ed3f5f6efacfb3261e80ec8a75724afff653733b914b517aa96453c63 2691 jackson-databind_2.4.2-2+deb8u6.dsc
 a627aa6538c8c86330c8e96f8c1c11855645849a6cb6b23ef9c0eea958c880d5 10676 jackson-databind_2.4.2-2+deb8u6.debian.tar.xz
 3c7667955dc959d6f5bfe309887a5ce71f610df5814a133ef61ff745edb1624b 987274 libjackson2-databind-java_2.4.2-2+deb8u6_all.deb
 223e48adf22d5ac982df84195c72ea67f5d472b62f11c106f93b129c16c04eb0 4742874 libjackson2-databind-java-doc_2.4.2-2+deb8u6_all.deb
Files:
 d8c47cd70ba0e6bc17c0eaaae6b57fb7 2691 java optional jackson-databind_2.4.2-2+deb8u6.dsc
 6234306ae8d9d738a5a3c4402b9e16bc 10676 java optional jackson-databind_2.4.2-2+deb8u6.debian.tar.xz
 3940ca30540141e1ac2cd15e394da28d 987274 java optional libjackson2-databind-java_2.4.2-2+deb8u6_all.deb
 e980e826504d4005029d06fecb7dc833 4742874 doc optional libjackson2-databind-java-doc_2.4.2-2+deb8u6_all.deb

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlzjKidfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkJ0gP/jH6aBlSayuf+KRp1P0goyXz/4Qhh7Fsp4AO
hmUlQ9/uiHKhxnoWhcRx0X60uhg9nWaEFtr0uS3LyWt219FyeUO2maS8qYS8FZCQ
c5l4/x+ije7HbY3EeQZ67jj+QQnz669J1ujemLceZw0DE90ESeCxVi/ktHcx6MWt
06RM8ve/UnYOvBJ5fzWUtGbuB9zT1GCiskx1jjTpzUuZ0U84coQeUSATg9sXvr+l
tW9roD9/J5D09DKk7ACG8owHudUUXHvtgHsZshNqnmU5ahZOiLrhNU21ej3Wg/dI
t6AvnnNKDaR0P3NqR/KDMN/bACwjzguo5sXXJK+HDL97Rw6tINM81Wv7RKdthuAf
uWk7hFx0uXOAe8c9HWml6MxsUGkuRoaWJEJnEVgJ2Qz4xDucRs6s4DsGGP8s+yHX
HbgTNYj55Mbd4nzr6D5MoemRm14gvGdkpaGGkUYaHCJVccrd/P4jV1/biRdBS0gU
TJadHwmoON+vXL9fLMR7bo0juKwAfA+P+PoO6EuquyCboTLGEMFX4IQcHhyHiuuo
/CoihREVxOpgdfPhl6SQATyLiXYIKunXGcvxwlxL1O4tM4Pz1IpbvG8UBuoDLkBc
+gpsnXqtGL9shsY+EbhmDLM8td/RdQr+/f9fyKAvtF23EPkt+ts13J7Yn7/1SvRz
FWQXa6O2
=vJoE
-----END PGP SIGNATURE-----
Reply to: