[ubuntu/artful-security] jackson-databind 2.8.6-1+deb9u4build0.17.10.1 (Accepted)

Steve Beattie sbeattie at ubuntu.com
Fri May 4 07:00:27 UTC 2018

jackson-databind (2.8.6-1+deb9u4build0.17.10.1) artful-security; urgency=medium

  * fake sync from Debian

jackson-databind (2.8.6-1+deb9u4) stretch-security; urgency=high

  * Team upload.
  * Fix CVE-2018-7489: allows unauthenticated remote code execution because of
    an incomplete fix for the CVE-2017-7525 deserialization flaw. This is
    exploitable by sending maliciously crafted JSON input to the readValue
    method of the ObjectMapper, bypassing a blacklist that is ineffective if
    the c3p0 libraries are available in the classpath. (Closes: #891614)

Date: 2018-05-04 06:40:17.785898+00:00
Changed-By: Steve Beattie <sbeattie at ubuntu.com>
Maintainer: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.org>
-------------- next part --------------
Sorry, changesfile not available.

More information about the Artful-changes mailing list