[Git][java-team/jackson-databind][bullseye] 5 commits: Fix FTBFS with jackson-core
Markus Koschany (@apo)
gitlab at salsa.debian.org
Mon Jun 8 11:11:32 BST 2026
Markus Koschany pushed to branch bullseye at Debian Java Maintainers / jackson-databind
Commits:
f2dc75e6 by Markus Koschany at 2026-06-08T08:41:43+02:00
Fix FTBFS with jackson-core
- - - - -
67246b14 by Markus Koschany at 2026-06-08T08:42:31+02:00
Update changelog
- - - - -
7c8722a1 by Markus Koschany at 2026-06-08T08:46:36+02:00
Refresh all patches
- - - - -
43c05771 by Markus Koschany at 2026-06-08T08:54:15+02:00
Update base-pom.patch
- - - - -
c344e49a by Markus Koschany at 2026-06-08T10:32:15+02:00
No longer depend on jackson-core doc package
Tighten B-D on jackson-core
- - - - -
8 changed files:
- debian/changelog
- debian/control
- debian/patches/CVE-2020-36518.patch
- debian/patches/CVE-2022-42003.patch
- debian/patches/CVE-2022-42004.patch
- + debian/patches/CVE-2025-52999.patch
- debian/patches/base-pom.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,10 @@
+jackson-databind (2.12.1-1+deb11u2) bullseye-security; urgency=medium
+
+ * Team upload.
+ * Fix FTBFS with jackson-core.
+
+ -- Markus Koschany <apo at debian.org> Mon, 08 Jun 2026 08:42:15 +0200
+
jackson-databind (2.12.1-1+deb11u1) bullseye-security; urgency=high
* Team upload.
=====================================
debian/control
=====================================
@@ -14,8 +14,7 @@ Build-Depends:
libbuild-helper-maven-plugin-java,
libjackson2-annotations-java (>= 2.12.1),
libjackson2-annotations-java-doc,
- libjackson2-core-java (>= 2.9.8-3~),
- libjackson2-core-java-doc,
+ libjackson2-core-java (>= 2.14.1~),
libmaven-bundle-plugin-java,
libmaven-enforcer-plugin-java,
libmaven-javadoc-plugin-java,
=====================================
debian/patches/CVE-2020-36518.patch
=====================================
@@ -10,8 +10,6 @@ Origin: https://github.com/FasterXML/jackson-databind/issues/2816
2 files changed, 133 insertions(+), 47 deletions(-)
create mode 100644 src/test/java/com/fasterxml/jackson/databind/deser/DeepNestingUntypedDeserTest.java
-diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/std/UntypedObjectDeserializer.java b/src/main/java/com/fasterxml/jackson/databind/deser/std/UntypedObjectDeserializer.java
-index e20b066..5d235c8 100644
--- a/src/main/java/com/fasterxml/jackson/databind/deser/std/UntypedObjectDeserializer.java
+++ b/src/main/java/com/fasterxml/jackson/databind/deser/std/UntypedObjectDeserializer.java
@@ -665,6 +665,10 @@ public class UntypedObjectDeserializer
@@ -121,19 +119,19 @@ index e20b066..5d235c8 100644
+ return Boolean.TRUE;
+ case JsonTokenId.ID_FALSE:
+ return Boolean.FALSE;
-
-- case JsonTokenId.ID_NULL: // 08-Nov-2016, tatu: yes, occurs
-- return null;
++
+ case JsonTokenId.ID_END_OBJECT:
+ // 28-Oct-2015, tatu: [databind#989] We may also be given END_OBJECT (similar to FIELD_NAME),
+ // if caller has advanced to the first token of Object, but for empty Object
+ return new LinkedHashMap<String, Object>(2);
-- //case JsonTokenId.ID_END_ARRAY: // invalid
-- default:
+- case JsonTokenId.ID_NULL: // 08-Nov-2016, tatu: yes, occurs
+- return null;
+ case JsonTokenId.ID_NULL: // 08-Nov-2016, tatu: yes, occurs
+ return null;
-+
+
+- //case JsonTokenId.ID_END_ARRAY: // invalid
+- default:
+ //case JsonTokenId.ID_END_ARRAY: // invalid
+ default:
}
@@ -215,9 +213,6 @@ index e20b066..5d235c8 100644
final Object oldValue = result.put(key, newValue);
if (oldValue != null) {
return _mapObjectWithDups(p, ctxt, result, key, oldValue, newValue,
-diff --git a/src/test/java/com/fasterxml/jackson/databind/deser/DeepNestingUntypedDeserTest.java b/src/test/java/com/fasterxml/jackson/databind/deser/DeepNestingUntypedDeserTest.java
-new file mode 100644
-index 0000000..16c56b4
--- /dev/null
+++ b/src/test/java/com/fasterxml/jackson/databind/deser/DeepNestingUntypedDeserTest.java
@@ -0,0 +1,70 @@
=====================================
debian/patches/CVE-2022-42003.patch
=====================================
@@ -9,8 +9,6 @@ Origin: https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b9310
2 files changed, 135 insertions(+), 12 deletions(-)
create mode 100644 src/test/java/com/fasterxml/jackson/databind/deser/dos/DeepArrayWrappingForDeser3590Test.java
-diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/std/StdDeserializer.java b/src/main/java/com/fasterxml/jackson/databind/deser/std/StdDeserializer.java
-index 4be658e..da3167c 100644
--- a/src/main/java/com/fasterxml/jackson/databind/deser/std/StdDeserializer.java
+++ b/src/main/java/com/fasterxml/jackson/databind/deser/std/StdDeserializer.java
@@ -357,12 +357,8 @@ public abstract class StdDeserializer<T>
@@ -136,9 +134,6 @@ index 4be658e..da3167c 100644
protected void _verifyEndArrayForSingle(JsonParser p, DeserializationContext ctxt) throws IOException
{
JsonToken t = p.nextToken();
-diff --git a/src/test/java/com/fasterxml/jackson/databind/deser/dos/DeepArrayWrappingForDeser3590Test.java b/src/test/java/com/fasterxml/jackson/databind/deser/dos/DeepArrayWrappingForDeser3590Test.java
-new file mode 100644
-index 0000000..e5b0f1e
--- /dev/null
+++ b/src/test/java/com/fasterxml/jackson/databind/deser/dos/DeepArrayWrappingForDeser3590Test.java
@@ -0,0 +1,95 @@
=====================================
debian/patches/CVE-2022-42004.patch
=====================================
@@ -10,11 +10,9 @@ Origin: https://github.com/FasterXML/jackson-databind/commit/063183589218fec19a9
3 files changed, 57 insertions(+), 1 deletion(-)
create mode 100644 src/test/java/com/fasterxml/jackson/databind/deser/dos/DeepArrayWrappingForDeser3582Test.java
-diff --git a/src/main/java/com/fasterxml/jackson/databind/DeserializationFeature.java b/src/main/java/com/fasterxml/jackson/databind/DeserializationFeature.java
-index ff9e232..a924948 100644
--- a/src/main/java/com/fasterxml/jackson/databind/DeserializationFeature.java
+++ b/src/main/java/com/fasterxml/jackson/databind/DeserializationFeature.java
-@@ -318,8 +318,10 @@ public enum DeserializationFeature implements ConfigFeature
+@@ -318,8 +318,10 @@ public enum DeserializationFeature imple
* values to the corresponding value type. This is basically the opposite of the {@link #ACCEPT_SINGLE_VALUE_AS_ARRAY}
* feature. If more than one value is found in the array, a JsonMappingException is thrown.
* <p>
@@ -26,8 +24,6 @@ index ff9e232..a924948 100644
* @since 2.4
*/
UNWRAP_SINGLE_VALUE_ARRAYS(false),
-diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializer.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializer.java
-index bf13621..f0b5907 100644
--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializer.java
+++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializer.java
@@ -8,6 +8,7 @@ import com.fasterxml.jackson.databind.*;
@@ -54,9 +50,6 @@ index bf13621..f0b5907 100644
final Object value = deserialize(p, ctxt);
if (p.nextToken() != JsonToken.END_ARRAY) {
handleMissingEndArrayForSingle(p, ctxt);
-diff --git a/src/test/java/com/fasterxml/jackson/databind/deser/dos/DeepArrayWrappingForDeser3582Test.java b/src/test/java/com/fasterxml/jackson/databind/deser/dos/DeepArrayWrappingForDeser3582Test.java
-new file mode 100644
-index 0000000..2147cf1
--- /dev/null
+++ b/src/test/java/com/fasterxml/jackson/databind/deser/dos/DeepArrayWrappingForDeser3582Test.java
@@ -0,0 +1,44 @@
=====================================
debian/patches/CVE-2025-52999.patch
=====================================
@@ -0,0 +1,35 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sat, 6 Jun 2026 14:04:23 +0200
+Subject: CVE-2025-52999
+
+Related to CVE-2025-52999.patch in jackson-core. Fixes a FTBFS.
+
+Bug-Debian: https://bugs.debian.org/1135410
+Forwarded: not-needed
+---
+ src/main/java/com/fasterxml/jackson/databind/ObjectMapper.java | 2 +-
+ src/main/java/com/fasterxml/jackson/databind/ObjectWriter.java | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/src/main/java/com/fasterxml/jackson/databind/ObjectMapper.java
++++ b/src/main/java/com/fasterxml/jackson/databind/ObjectMapper.java
+@@ -3734,7 +3734,7 @@ public class ObjectMapper
+ * Note: prior to version 2.1, throws clause included {@link IOException}; 2.1 removed it.
+ */
+ public String writeValueAsString(Object value)
+- throws JsonProcessingException
++ throws JsonProcessingException, IOException
+ {
+ // alas, we have to pull the recycler directly here...
+ SegmentedStringWriter sw = new SegmentedStringWriter(_jsonFactory._getBufferRecycler());
+--- a/src/main/java/com/fasterxml/jackson/databind/ObjectWriter.java
++++ b/src/main/java/com/fasterxml/jackson/databind/ObjectWriter.java
+@@ -1077,7 +1077,7 @@ public class ObjectWriter
+ * Note: prior to version 2.1, throws clause included {@link IOException}; 2.1 removed it.
+ */
+ public String writeValueAsString(Object value)
+- throws JsonProcessingException
++ throws JsonProcessingException, IOException
+ {
+ // alas, we have to pull the recycler directly here...
+ SegmentedStringWriter sw = new SegmentedStringWriter(_generatorFactory._getBufferRecycler());
=====================================
debian/patches/base-pom.patch
=====================================
@@ -17,7 +17,7 @@ Forwarded: not-needed
<groupId>com.fasterxml.jackson</groupId>
<artifactId>jackson-base</artifactId>
- <version>2.12.1</version>
-+ <version>2.9.8</version>
++ <version>2.14.0</version>
</parent>
<groupId>com.fasterxml.jackson.core</groupId>
=====================================
debian/patches/series
=====================================
@@ -2,3 +2,4 @@ base-pom.patch
CVE-2020-36518.patch
CVE-2022-42003.patch
CVE-2022-42004.patch
+CVE-2025-52999.patch
View it on GitLab: https://salsa.debian.org/java-team/jackson-databind/-/compare/4250c46cb7d753a7d93196fccaea81ffeed620b3...c344e49a05eeccb5b7d61d650b2614e1829dff41
--
View it on GitLab: https://salsa.debian.org/java-team/jackson-databind/-/compare/4250c46cb7d753a7d93196fccaea81ffeed620b3...c344e49a05eeccb5b7d61d650b2614e1829dff41
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20260608/7fd662fd/attachment.htm>
More information about the pkg-java-commits
mailing list