jackson-databind (2.4.2-2+deb8u12) jessie-security; urgency=high

  * Non-maintainer upload by the LTS team.
  * Add patch to fix:
    - CVE-2020-9546: Block one more gadget type (shaded-hikari-config).
    - CVE-2020-9547 & CVE-2020-9548: Block two more gadget types
      (ibatis-sqlmap, anteros-core).

 -- Utkarsh Gupta <utkarsh@debian.org>  Fri, 06 Mar 2020 01:39:43 +0530

jackson-databind (2.4.2-2+deb8u11) jessie-security; urgency=medium

  * Non-maintainer upload by the LTS team.
  * CVE-2019-20330, CVE-2020-8840: block more classes to prevent RCE attacks
    when deserializing objects from untrusted users.

 -- Emilio Pozuelo Monfort <pochu@debian.org>  Thu, 20 Feb 2020 11:53:00 +0100

jackson-databind (2.4.2-2+deb8u10) jessie-security; urgency=high

  * Non-maintainer upload by the LTS team.
  * Fix CVE-2019-17267 and CVE-2019-17531.
    More deserialization flaws were discovered in jackson-databind relating to
    the classes in net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup
    and org.apache.log4j.receivers.db which could allow an unauthenticated user
    to perform remote code execution. The issue was resolved by extending the
    blacklist and blocking more classes from polymorphic deserialization.

 -- Markus Koschany <apo@debian.org>  Tue, 10 Dec 2019 17:15:09 +0100

jackson-databind (2.4.2-2+deb8u9) jessie-security; urgency=high

  * Non-maintainer upload by the LTS team.
  * Fix CVE-2019-14540, CVE-2019-16335, CVE-2019-16942 and CVE-2019-16943.
    Deserialization flaws were discovered in jackson-databind relating to
    com.zaxxer.hikari.HikariConfig, com.zaxxer.hikari.HikariDataSource,
    commons-dbcp and com.p6spy.engine.spy.P6DataSource, which could allow an
    unauthenticated user to perform remote code execution. The issue was
    resolved by extending the blacklist and blocking more classes from
    polymorphic deserialization.

 -- Markus Koschany <apo@debian.org>  Wed, 02 Oct 2019 21:36:21 +0200

jackson-databind (2.4.2-2+deb8u8) jessie-security; urgency=high

  * Non-maintainer upload by the LTS team.
  * Fix CVE-2019-14379, CVE-2019-14439:
    Deserialization flaws were discovered in jackson-databind relating to
    EHCache and logback/jndi, which could allow an unauthenticated user to
    perform remote code execution.  The issue was resolved by extending the
    blacklist and blocking more classes from polymorphic deserialization.
    (Closes: #933393)

 -- Roberto C. Sanchez <roberto@debian.org>  Mon, 12 Aug 2019 17:40:56 -0400

jackson-databind (2.4.2-2+deb8u7) jessie-security; urgency=high

  * Non-maintainer upload by the LTS team.
  * More Polymorphic Typing issues were discovered in jackson-databind. When
    Default Typing is enabled (either globally or for a specific property) for an
    externally exposed JSON endpoint and the service has JDOM 1.x or 2.x or
    logback-core jar in the classpath, an attacker can send a specifically
    crafted JSON message that allows them to read arbitrary local files on the
    server.

 -- Markus Koschany <apo@debian.org>  Fri, 21 Jun 2019 14:16:32 +0200

jackson-databind (2.4.2-2+deb8u6) jessie-security; urgency=high

  * Non-maintainer upload by the LTS team.
  * Fix CVE-2019-12086:
    A Polymorphic Typing issue was discovered in jackson-databind.
    When Default Typing is enabled (either globally or for a specific property)
    for an externally exposed JSON endpoint, the service has the
    mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an
    attacker can host a crafted MySQL server reachable by the victim, an
    attacker can send a crafted JSON message that allows them to read arbitrary
    local files on the server. This occurs because of missing
    com.mysql.cj.jdbc.admin.MiniAdmin validation.

 -- Markus Koschany <apo@debian.org>  Mon, 20 May 2019 22:39:35 +0200

jackson-databind (2.4.2-2+deb8u5) jessie-security; urgency=high

  * Non-maintainer upload by the LTS team.
  * Fix CVE-2018-11307, CVE-2018-12022, CVE-2018-12023, CVE-2018-14718,
    CVE-2018-14719, CVE-2018-14720, CVE-2018-14721, CVE-2018-19360,
    CVE-2018-19361 and CVE-2018-19362.
    Several deserialization flaws were discovered in jackson-databind which
    could allow an unauthenticated user to perform code execution. The issue
    was resolved by extending the blacklist and blocking more classes from
    polymorphic deserialization.

 -- Markus Koschany <apo@debian.org>  Mon, 04 Mar 2019 10:30:09 +0100

jackson-databind (2.4.2-2+deb8u4) jessie-security; urgency=high

  * Team upload.
  * Fix CVE-2018-7489: allows unauthenticated remote code execution because of
    an incomplete fix for the CVE-2017-7525 deserialization flaw. This is
    exploitable by sending maliciously crafted JSON input to the readValue
    method of the ObjectMapper, bypassing a blacklist that is ineffective if
    the c3p0 libraries are available in the classpath. (Closes: #891614)

 -- Markus Koschany <apo@debian.org>  Tue, 01 May 2018 19:20:38 +0200

jackson-databind (2.4.2-2+deb8u3) jessie-security; urgency=high

  * Team upload.
  * Fix CVE-2017-17485 and CVE-2018-5968:
    Bybass of deserialization blackist to disallow unauthenticated remote code
    execution. These CVE exist due to an incomplete fix for CVE-2017-7525.
    (Closes: #888316, #888318)

 -- Markus Koschany <apo@debian.org>  Sat, 27 Jan 2018 19:37:47 +0100

jackson-databind (2.4.2-2+deb8u2) jessie-security; urgency=high

  * Team upload
  * CVE-2017-15095: incomplete fixes for CVE-2017-7525

 -- Sebastien Delafond <seb@debian.org>  Thu, 16 Nov 2017 09:13:27 +0100

jackson-databind (2.4.2-2+deb8u1) jessie-security; urgency=high

  * Team upload.
  * Fix CVE-2017-7525: Deserialization vulnerability via readValue
    method of ObjectMapper. (Closes: #870848)

 -- Markus Koschany <apo@debian.org>  Thu, 19 Oct 2017 01:44:42 +0200

jackson-databind (2.4.2-2) unstable; urgency=medium

  * Team upload.
  * Build depend on libcglib3-java instead of libcglib-java
  * Standards-Version updated to 3.9.6 (no changes)
  * Removed the build dependency on libmaven-cobertura-plugin-java

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 29 Sep 2014 16:30:49 +0200

jackson-databind (2.4.2-1) unstable; urgency=medium

  * Team upload.
  * New upstream release.
  * ignoreRules: Ignore replacer.
  * ignoreRules: Ignore release plugin.
  * control: Add libmaven-bundle-plugin to build-deps.
  * fix-using-bundle.diff: Use extensions with bundle plugin.
  * maven.{publishedR,r}ules: Fix version mangling.
  * control: Bump dependency on -core and -annotations.
  * properties: Set encoding to UTF-8.
  * control: Add libmaven-cobertura-plugin-java to build-depends.

 -- Timo Aaltonen <tjaalton@debian.org>  Wed, 24 Sep 2014 17:14:02 +0300

jackson-databind (2.2.2-2) unstable; urgency=low

  * Team upload.
  * Update Maven settings to use correct coordinates for Groovy 1.8.x.
    (Closes: #750267).
  * Bump Standards-Version to 3.9.5. No changes were required.

 -- Miguel Landaeta <nomadium@debian.org>  Mon, 26 May 2014 14:53:06 -0300

jackson-databind (2.2.2-1) unstable; urgency=low

  * Initial release. (Closes: #720504)

 -- Wolodja Wentland <debian@babilen5.org>  Thu, 22 Aug 2013 15:24:34 +0000
