jackson-databind (2.8.6-1+deb9u5) stretch-security; urgency=high

  * Team upload.
  * Fix CVE-2018-11307, CVE-2018-12022, CVE-2018-12023, CVE-2018-14718,
    CVE-2018-14719, CVE-2018-14720, CVE-2018-14721, CVE-2018-19360,
    CVE-2018-19361 and CVE-2018-19362.
    Several deserialization flaws were discovered in jackson-databind which
    could allow an unauthenticated user to perform code execution. The issue
    was resolved by extending the blacklist and blocking more classes from
    polymorphic deserialization.