Bug#888316: jackson-databind: CVE-2018-5968
Markus Koschany
apo at debian.org
Thu Jan 25 13:40:10 UTC 2018
Hi,
On Wed, 24 Jan 2018 23:02:44 +0100 Salvatore Bonaccorso
<carnil at debian.org> wrote:
> Source: jackson-databind
> Version: 2.9.1-1
> Severity: grave
> Tags: patch security upstream
> Forwarded: https://github.com/FasterXML/jackson-databind/issues/1899
> Control: found -1 2.8.6-1+deb9u2
> Control: found -1 2.4.2-2+deb8u2
>
> Hi,
>
> the following vulnerability was published for jackson-databind.
[...]
Thanks for reporting. I had a look at jackson-databind in Stretch. We
just need to apply the patch to BeanDeserializerFactory.java again. As
for Sid upgrading to the latest upstream release 2.9.4 should also
resolve this. I'm working on it now.
Regards,
Markus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20180125/245469d9/attachment.sig>
More information about the pkg-java-maintainers
mailing list