49053a29c26056c7d323f2aff096502e92f79406 to a64fd489746621272a4c9bbd2f969a4f73fd242b · Debian Java Maintainers / jackson-databind

Commits on Source 2

Import Debian changes 2.4.2-2+deb8u8 · 16013628

Roberto C. Sánchez authored Aug 12, 2019 and

Markus Koschany committed Oct 05, 2019

jackson-databind (2.4.2-2+deb8u8) jessie-security; urgency=high

  * Non-maintainer upload by the LTS team.
  * Fix CVE-2019-14379, CVE-2019-14439:
    Deserialization flaws were discovered in jackson-databind relating to
    EHCache and logback/jndi, which could allow an unauthenticated user to
    perform remote code execution.  The issue was resolved by extending the
    blacklist and blocking more classes from polymorphic deserialization.
    (Closes: #933393)

16013628

Import Debian changes 2.4.2-2+deb8u9 · a64fd489

Markus Koschany authored Oct 02, 2019

jackson-databind (2.4.2-2+deb8u9) jessie-security; urgency=high

  * Non-maintainer upload by the LTS team.
  * Fix CVE-2019-14540, CVE-2019-16335, CVE-2019-16942 and CVE-2019-16943.
    Deserialization flaws were discovered in jackson-databind relating to
    com.zaxxer.hikari.HikariConfig, com.zaxxer.hikari.HikariDataSource,
    commons-dbcp and com.p6spy.engine.spy.P6DataSource, which could allow an
    unauthenticated user to perform remote code execution. The issue was
    resolved by extending the blacklist and blocking more classes from
    polymorphic deserialization.

a64fd489