Bug#940498: jackson-databind: CVE-2019-14540 CVE-2019-16335
Markus Koschany
apo at debian.org
Sun Sep 29 20:51:02 BST 2019
Control: tags -1 pending
On Mon, 16 Sep 2019 15:14:37 +0200 Salvatore Bonaccorso
<carnil at debian.org> wrote:
> Source: jackson-databind
> Version: 2.9.9.3-1
> Severity: grave
> Tags: security upstream
> Justification: user security hole
[...]
> p.s.: wondering where that will going to end ;-)
Hi,
I also think it is starting to get silly now. I will upload 2.10.0 to
unstable shortly but I suggest to address these kind of issues from now
on only via stable-updates. This can be done two or three times per
year. It is basically just adding new classes to the blacklist. I
believe the whole approach of blacklisting classes is not very
sophisticated.
Regards,
Markus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20190929/99b3efee/attachment.sig>
More information about the pkg-java-maintainers
mailing list