Bug#888316: jackson-databind: CVE-2018-5968

Salvatore Bonaccorso carnil at debian.org
Thu Jan 25 14:23:26 UTC 2018


Hi Markus,

On Thu, Jan 25, 2018 at 02:40:10PM +0100, Markus Koschany wrote:
> Hi,
> 
> On Wed, 24 Jan 2018 23:02:44 +0100 Salvatore Bonaccorso
> <carnil at debian.org> wrote:
> > Source: jackson-databind
> > Version: 2.9.1-1
> > Severity: grave
> > Tags: patch security upstream
> > Forwarded: https://github.com/FasterXML/jackson-databind/issues/1899
> > Control: found -1 2.8.6-1+deb9u2
> > Control: found -1 2.4.2-2+deb8u2
> > 
> > Hi,
> > 
> > the following vulnerability was published for jackson-databind.
> 
> [...]
> 
> Thanks for reporting. I had a look at jackson-databind in Stretch. We
> just need to apply the patch to BeanDeserializerFactory.java again. As
> for Sid upgrading to the latest upstream release 2.9.4 should also
> resolve this. I'm working on it now.

Perfect, thank you! We (Moritz) have added it to the dsa-needed list
for jessie and stretch, so once you have the update can you contact
the security team alias, one of us will then ack the upload.

Regards,
Salvatore



More information about the pkg-java-maintainers mailing list