[Git][java-team/jackson-databind][master] 4 commits: Add CVE-2025-52999.patch

Markus Koschany (@apo) gitlab at salsa.debian.org
Sat Jun 6 13:31:37 BST 2026 


Markus Koschany pushed to branch master at Debian Java Maintainers / jackson-databind


Commits:
4dfcebb0 by Markus Koschany at 2026-06-06T14:05:15+02:00
Add CVE-2025-52999.patch

- - - - -
3e4d3ce5 by Markus Koschany at 2026-06-06T14:06:31+02:00
Fix FBTFS

Closes: #1135410

- - - - -
da1b34d4 by Markus Koschany at 2026-06-06T14:08:31+02:00
Update changelog

- - - - -
7878b04e by Markus Koschany at 2026-06-06T14:20:30+02:00
Catch more IOExceptions.

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/CVE-2025-52999.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,25 @@
+jackson-databind (2.14.0+ds-2) unstable; urgency=medium
+
+  [ Otto Kekäläinen ]
+  * Enable Salsa CI to help avoid testable regressions before upload to Debian
+  * Fix broken Homepage link and add current upstream metadata.  The site
+    wiki.fasterxml.com no longer exists. Replace it with link to the current
+    wiki location. Also add a metadata file following DEP-12, so it is easier
+    for both maintainers to find the correct upstream websites, as well as for
+    `git-buildpackage --add-upstreamvcs` feature to work.
+  * Define Debian packaging repository conventions in gbp.conf.
+    Add a git-buildpackage config file to show explicitly what conventions this
+    Debian source package repository uses. This way it is easier for current
+    maintainer to do e.g. new upstream version imports, as there are less
+    arguments that need to be passed to `gbp` commands, and also for any future
+    maintainer/contributor there is less guesswork.
+
+  [ Markus Koschany ]
+  * Add CVE-2025-52999.patch and fix a FBTFS due to changes in jackson-core.
+    (Closes: #1135410)
+
+ -- Markus Koschany <apo at debian.org>  Sat, 06 Jun 2026 14:07:23 +0200
+
 jackson-databind (2.14.0+ds-1) unstable; urgency=medium
 
   * Team upload.


=====================================
debian/patches/CVE-2025-52999.patch
=====================================
@@ -0,0 +1,39 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sat, 6 Jun 2026 14:04:23 +0200
+Subject: CVE-2025-52999
+
+Related to CVE-2025-52999.patch in jackson-core. Fixes a FTBFS.
+
+Bug-Debian: https://bugs.debian.org/1135410
+Forwarded: not-needed
+---
+ src/main/java/com/fasterxml/jackson/databind/ObjectMapper.java | 2 +-
+ src/main/java/com/fasterxml/jackson/databind/ObjectWriter.java | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/ObjectMapper.java b/src/main/java/com/fasterxml/jackson/databind/ObjectMapper.java
+index d16d83a..87a07ab 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/ObjectMapper.java
++++ b/src/main/java/com/fasterxml/jackson/databind/ObjectMapper.java
+@@ -3861,7 +3861,7 @@ public class ObjectMapper
+      * Note: prior to version 2.1, throws clause included {@link IOException}; 2.1 removed it.
+      */
+     public String writeValueAsString(Object value)
+-        throws JsonProcessingException
++        throws JsonProcessingException, IOException
+     {
+         // alas, we have to pull the recycler directly here...
+         SegmentedStringWriter sw = new SegmentedStringWriter(_jsonFactory._getBufferRecycler());
+diff --git a/src/main/java/com/fasterxml/jackson/databind/ObjectWriter.java b/src/main/java/com/fasterxml/jackson/databind/ObjectWriter.java
+index 744d17f..890b855 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/ObjectWriter.java
++++ b/src/main/java/com/fasterxml/jackson/databind/ObjectWriter.java
+@@ -1132,7 +1132,7 @@ public class ObjectWriter
+      * Note: prior to version 2.1, throws clause included {@link IOException}; 2.1 removed it.
+      */
+     public String writeValueAsString(Object value)
+-        throws JsonProcessingException
++        throws JsonProcessingException, IOException
+     {        
+         // alas, we have to pull the recycler directly here...
+         SegmentedStringWriter sw = new SegmentedStringWriter(_generatorFactory._getBufferRecycler());


=====================================
debian/patches/series
=====================================
@@ -1,2 +1,3 @@
 base-pom.patch
 set-java-baseline.patch
+CVE-2025-52999.patch



View it on GitLab: https://salsa.debian.org/java-team/jackson-databind/-/compare/4d1e35b448da6e375fa5728ac702177210a5ffec...7878b04ee66484663b586178fb46904bebed4635

-- 
View it on GitLab: https://salsa.debian.org/java-team/jackson-databind/-/compare/4d1e35b448da6e375fa5728ac702177210a5ffec...7878b04ee66484663b586178fb46904bebed4635
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20260606/878754ad/attachment.htm>

More information about the pkg-java-commits mailing list