Bug#941530: jackson-databind: CVE-2019-16942 CVE-2019-16943
Markus Koschany
apo at debian.org
Tue Oct 1 21:46:16 BST 2019
Hi Salvatore,
Am 01.10.19 um 22:34 schrieb Salvatore Bonaccorso:
> Source: jackson-databind
> Version: 2.10.0-1
> Severity: grave
> Tags: security upstream
> Justification: user security hole
> Forwarded: https://github.com/FasterXML/jackson-databind/issues/2478
> Control: found -1 2.9.8-3
> Control: found -1 2.8.6-1+deb9u5
> Control: found -1 2.8.6-1
>
> Hi,
>
> Tony, Markus, As it was already expected ;-). Upstream, whilst it
> affects as well 2.10.0, seemigly is not considering doing an update
> for 2.10 specifically but have fixed this one as well for older
> versions. Previous point, that this is just going to start to be silly
> upholds.
>
> That said, let's follow with the usual information:
>
> The following vulnerabilities were published for jackson-databind.
[...]
First of all, thank you very much for taking care of reporting these issues.
Please let me know if you think this is a DSA-worthy issue. Otherwise I
will just ask the release team for an update. Personally I believe we
can treat that as an important issue from now on.
Cheers,
Markus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20191001/81dcbed1/attachment.sig>
More information about the pkg-java-maintainers
mailing list