[Git][java-team/jackson-databind][stretch] Update changelog

Markus Koschany gitlab at salsa.debian.org
Thu Jul 9 16:38:32 BST 2020 


Markus Koschany pushed to branch stretch at Debian Java Maintainers / jackson-databind


Commits:
48d7dab2 by Markus Koschany at 2020-07-09T17:37:51+02:00
Update changelog

- - - - -


2 changed files:

- debian/changelog
- debian/patches/multiple-CVE-BeanDeserializerFactory.patch


Changes:

=====================================
debian/changelog
=====================================
@@ -2,11 +2,12 @@ jackson-databind (2.8.6-1+deb9u7) stretch; urgency=medium
 
   * Add multiple-CVE-BeanDeserializerFactory.patch and block more classes from
     polymorphic deserialization.
-    This fixes 17 CVE that currently affect the package namely,
+    This fixes 20 CVE that currently affect the package namely,
     CVE-2020-9548, CVE-2020-9547, CVE-2020-9546, CVE-2020-8840, CVE-2020-14195,
     CVE-2020-14062, CVE-2020-14061, CVE-2020-14060, CVE-2020-11620,
     CVE-2020-11619, CVE-2020-11113, CVE-2020-11112, CVE-2020-11111,
-    CVE-2020-10969, CVE-2020-10968, CVE-2020-10673, CVE-2020-10672.
+    CVE-2020-10969, CVE-2020-10968, CVE-2020-10673, CVE-2020-10672,
+    CVE-2019-20330, CVE-2019-17531 and CVE-2019-17267.
 
  -- Markus Koschany <apo at debian.org>  Thu, 09 Jul 2020 16:42:01 +0200
 


=====================================
debian/patches/multiple-CVE-BeanDeserializerFactory.patch
=====================================
@@ -6,7 +6,8 @@ This is the fix for
 CVE-2020-9548, CVE-2020-9547, CVE-2020-9546, CVE-2020-8840, CVE-2020-14195,
 CVE-2020-14062, CVE-2020-14061, CVE-2020-14060, CVE-2020-11620, CVE-2020-11619,
 CVE-2020-11113, CVE-2020-11112, CVE-2020-11111, CVE-2020-10969, CVE-2020-10968,
-CVE-2020-10673, CVE-2020-10672
+CVE-2020-10673, CVE-2020-10672, CVE-2019-20330, CVE-2019-17531 and
+CVE-2019-17267.
 ---
  .../databind/deser/BeanDeserializerFactory.java    | 109 ++++++++++++++++++---
  1 file changed, 96 insertions(+), 13 deletions(-)



View it on GitLab: https://salsa.debian.org/java-team/jackson-databind/-/commit/48d7dab2f85d8dcf9734521982601e2711913750

-- 
View it on GitLab: https://salsa.debian.org/java-team/jackson-databind/-/commit/48d7dab2f85d8dcf9734521982601e2711913750
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20200709/bf991a53/attachment.html>

More information about the pkg-java-commits mailing list