Change log for jackson-databind package in Ubuntu
| 1 → 33 of 33 results | First • Previous • Next • Last |
| Published in noble-release |
| Published in mantic-release |
| Published in lunar-release |
| Deleted in lunar-proposed (Reason: Moved to lunar) |
jackson-databind (2.14.0-1) unstable; urgency=medium
* New upstream version 2.14.0.
- Fix CVE-2022-42003:
Resource exhaustion can occur because of a lack of a check in primitive
value deserializers to avoid deep wrapper array nesting, when the
UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
- Fix CVE-2022-42004:
Resource exhaustion can occur because of a lack of a check in
BeanDeserializer._deserializeFromArray to prevent use of deeply nested
arrays. An application is vulnerable only with certain customized choices
for deserialization.
* Declare compliance with Debian Policy 4.6.1.
-- Markus Koschany <email address hidden> Fri, 11 Nov 2022 23:19:39 +0100
Available diffs
- diff from 2.13.2.2-1 to 2.14.0-1 (121.9 KiB)
| Superseded in lunar-release |
| Obsolete in kinetic-release |
| Deleted in kinetic-proposed (Reason: Moved to kinetic) |
jackson-databind (2.13.2.2-1) unstable; urgency=medium
* New upstream version 2.13.2.2.
- Fix CVE-2020-36518: Java StackOverflow exception and denial of service
via a large depth of nested objects. (Closes: #1007109)
Thanks to Neil Williams for the report.
-- Markus Koschany <email address hidden> Sat, 30 Apr 2022 14:05:08 +0200
Available diffs
- diff from 2.13.0-2 to 2.13.2.2-1 (38.1 KiB)
| Superseded in kinetic-release |
| Published in jammy-release |
| Deleted in jammy-proposed (Reason: Moved to jammy) |
jackson-databind (2.13.0-2) unstable; urgency=medium * Drop all doc packages from Build-Depends. * Update debian/watch. -- Markus Koschany <email address hidden> Thu, 04 Nov 2021 10:28:57 +0100
Available diffs
- diff from 2.13.0-1 to 2.13.0-2 (1.4 KiB)
jackson-databind (2.13.0-1) unstable; urgency=medium * New upstream version 2.13.0. -- Markus Koschany <email address hidden> Fri, 22 Oct 2021 12:58:08 +0200
Available diffs
- diff from 2.12.5-1 to 2.13.0-1 (207.2 KiB)
jackson-databind (2.12.5-1) unstable; urgency=medium * New upstream version 2.12.5. * Declare compliance with Debian Policy 4.6.0. -- Markus Koschany <email address hidden> Tue, 07 Sep 2021 10:09:57 +0200
Available diffs
- diff from 2.12.1-1 to 2.12.5-1 (29.4 KiB)
| Superseded in jammy-release |
| Obsolete in impish-release |
| Obsolete in hirsute-release |
| Deleted in hirsute-proposed (Reason: moved to Release) |
jackson-databind (2.12.1-1) unstable; urgency=medium
* Team upload.
* New upstream release
- Refreshed the patch
- Depend on libjackson2-annotations-java (>= 2.12.1)
* Standards-Version updated to 4.5.1
-- Emmanuel Bourg <email address hidden> Sun, 17 Jan 2021 23:46:32 +0100
Available diffs
- diff from 2.11.1-1 to 2.12.1-1 (329.7 KiB)
| Superseded in hirsute-release |
| Obsolete in groovy-release |
| Deleted in groovy-proposed (Reason: moved to Release) |
jackson-databind (2.11.1-1) unstable; urgency=medium
* New upstream version 2.11.1.
- Exclude the javadocs from the source tarball because they require more
than 500 MB disk space.
- Fixes CVE-2020-9548, CVE-2020-9547, CVE-2020-9546, CVE-2020-8840,
CVE-2020-14195, CVE-2020-14062, CVE-2020-14061, CVE-2020-14060,
CVE-2020-11620, CVE-2020-11619, CVE-2020-11113, CVE-2020-11112,
CVE-2020-11111, CVE-2020-10969, CVE-2020-10968, CVE-2020-10673,
CVE-2020-10672.
* Switch to debhelper-compat = 13.
* Refresh base-pom.patch.
* Remove README.source.
-- Markus Koschany <email address hidden> Thu, 09 Jul 2020 13:53:55 +0200
Available diffs
- diff from 2.10.2-1 to 2.11.1-1 (142.4 KiB)
| Superseded in groovy-release |
| Published in focal-release |
| Deleted in focal-proposed (Reason: moved to Release) |
jackson-databind (2.10.2-1) unstable; urgency=medium * New upstream version 2.10.2. * Declare compliance with Debian Policy 4.5.0. -- Markus Koschany <email address hidden> Sun, 16 Feb 2020 14:27:13 +0100
Available diffs
- diff from 2.10.1-1 to 2.10.2-1 (18.2 KiB)
jackson-databind (2.10.1-1) unstable; urgency=medium * New upstream version 2.10.1. * Drop CVE-2019-16942-and-CVE-2019-16943.patch. Fixed upstream. -- Markus Koschany <email address hidden> Sun, 15 Dec 2019 16:07:37 +0100
Available diffs
- diff from 2.10.0-2 to 2.10.1-1 (32.0 KiB)
jackson-databind (2.10.0-2) unstable; urgency=high
* Fix CVE-2019-16942 and CVE-2019-16943.
Block two more gadget types (commons-dbcp, p6spy). (Closes: #941530)
-- Markus Koschany <email address hidden> Thu, 03 Oct 2019 15:48:58 +0200
Available diffs
- diff from 2.9.9.3-1 to 2.10.0-2 (161.8 KiB)
| Superseded in focal-release |
| Obsolete in eoan-release |
| Deleted in eoan-proposed (Reason: moved to release) |
jackson-databind (2.9.9.3-1) unstable; urgency=medium
* Team upload.
* New upstream version 2.9.9.3.
- Fix CVE-2019-14439 and CVE-2019-14379. Thanks to Salvatore Bonaccorso for
the report. (Closes: #933393)
* Drop all patches. These are all part of the latest upstream release.
* Switch to debhelper-compat = 12.
* Declare compliance with Debian Policy 4.4.0.
-- Markus Koschany <email address hidden> Tue, 13 Aug 2019 00:26:52 +0200
Available diffs
- diff from 2.9.8-3 to 2.9.9.3-1 (15.5 KiB)
jackson-databind (2.9.8-3) unstable; urgency=medium
* Team upload.
* Fix CVE-2019-12814 and CVE-2019-12384:
More Polymorphic Typing issues were discovered in jackson-databind. When
Default Typing is enabled (either globally or for a specific property) for
an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x or
logback-core jar in the classpath, an attacker can send a specifically
crafted JSON message that allows them to read arbitrary local files on the
server. (Closes: #930750)
-- Markus Koschany <email address hidden> Sat, 22 Jun 2019 00:28:48 +0200
Available diffs
- diff from 2.9.8-2 to 2.9.8-3 (1.3 KiB)
jackson-databind (2.9.8-2) unstable; urgency=medium
* Team upload.
* Fix CVE-2019-12086:
A Polymorphic Typing issue was discovered in jackson-databind. When
Default Typing is enabled (either globally or for a specific property) for
an externally exposed JSON endpoint, the service has the
mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an
attacker can host a crafted MySQL server reachable by the victim, an
attacker can send a crafted JSON message that allows them to read arbitrary
local files on the server. This occurs because of missing
com.mysql.cj.jdbc.admin.MiniAdmin validation. (Closes: #929177)
-- Markus Koschany <email address hidden> Sat, 18 May 2019 20:31:28 +0200
Available diffs
- diff from 2.9.8-1 to 2.9.8-2 (1.2 KiB)
| Obsolete in cosmic-updates |
| Published in bionic-updates |
| Obsolete in cosmic-security |
| Published in bionic-security |
| Deleted in cosmic-proposed (Reason: moved to -updates) |
| Deleted in bionic-proposed (Reason: moved to -updates) |
jackson-databind (2.9.8-1~18.04) bionic; urgency=medium * Backport for OpenJDK 11. LP: #1814133.
Available diffs
| Superseded in eoan-release |
| Obsolete in disco-release |
| Deleted in disco-proposed (Reason: moved to release) |
jackson-databind (2.9.8-1) unstable; urgency=medium
* Team upload.
* New upstream release
- Depend on libjackson2-core-java (>= 2.9.8)
* Standards-Version updated to 4.3.0
* Use salsa.debian.org Vcs-* URLs
-- Emmanuel Bourg <email address hidden> Sun, 30 Dec 2018 11:03:14 +0100
Available diffs
- diff from 2.9.5-1 to 2.9.8-1 (64.1 KiB)
jackson-databind (2.8.6-1+deb9u4build0.17.10.1) artful-security; urgency=medium * fake sync from Debian
| Superseded in disco-release |
| Obsolete in cosmic-release |
| Published in bionic-release |
| Deleted in bionic-proposed (Reason: moved to release) |
jackson-databind (2.9.5-1) unstable; urgency=medium
* Team upload.
* New upstream version 2.9.5.
- Fix CVE-2018-7489: incomplete fix for CVE-2017-7525 permits unsafe
serialization via c3p0 libraries. (Closes: #891614)
* Remove --has-package-version flag.
-- Markus Koschany <email address hidden> Tue, 27 Mar 2018 17:36:36 +0200
Available diffs
- diff from 2.9.4-1 to 2.9.5-1 (12.0 KiB)
jackson-databind (2.8.6-1+deb9u3build0.17.10.1) artful-security; urgency=medium * fake sync from Debian
Available diffs
jackson-databind (2.9.4-1) unstable; urgency=medium
* Team upload.
* New upstream version 2.9.4.
- Fix CVE-2018-5968: bypass of deserialization blacklist related to
CVE-2017-7525 and CVE-2017-17485. (Closes: #888316)
- Fix CVE-2017-17485: unauthenticated remote code execution
because of an incomplete fix for CVE-2017-7525. (Closes: #888318)
* Use compat level 11.
* Declare compliance with Debian Policy 4.1.3.
-- Markus Koschany <email address hidden> Thu, 25 Jan 2018 14:45:19 +0100
Available diffs
- diff from 2.9.1-1 to 2.9.4-1 (120.6 KiB)
jackson-databind (2.8.6-1+deb9u2build0.17.04.1) zesty-security; urgency=medium * fake sync from Debian
Available diffs
jackson-databind (2.8.6-1+deb9u2build0.17.10.1) artful-security; urgency=medium * fake sync from Debian
Available diffs
jackson-databind (2.8.6-1+deb9u1build0.17.10.1) artful-security; urgency=medium * fake sync from Debian
Available diffs
jackson-databind (2.8.6-1+deb9u1build0.17.04.1) zesty-security; urgency=medium * fake sync from Debian
Available diffs
jackson-databind (2.9.1-1) unstable; urgency=medium
* Team upload.
* New upstream version 2.9.1.
- Fixes CVE-2017-7525: Deserialization vulnerability via readValue
method of ObjectMapper (Closes: #870848)
- Builds fine with Java 9. (Closes: #875411)
* Declare compliance with Debian Policy 4.1.1.
* Tighten B-D on jackson-core and jackson-annotations.
* Add libmaven-shade-plugin-java to B-D.
-- Markus Koschany <email address hidden> Thu, 12 Oct 2017 00:31:43 +0200
Available diffs
- diff from 2.8.6-1 to 2.9.1-1 (676.6 KiB)
| Superseded in bionic-release |
| Obsolete in artful-release |
| Obsolete in zesty-release |
| Deleted in zesty-proposed (Reason: moved to release) |
jackson-databind (2.8.6-1) unstable; urgency=medium * Team upload. * New upstream release -- Emmanuel Bourg <email address hidden> Mon, 16 Jan 2017 01:49:15 +0100
Available diffs
- diff from 2.8.5-2 to 2.8.6-1 (14.8 KiB)
jackson-databind (2.8.5-2) unstable; urgency=medium
* Team upload.
* Added the missing build dependency on build-helper-maven-plugin
(Closes: #848734)
* Use maven-replacer-plugin instead of debian/replace-generate.sh
* Merged the Build-Depends-Indep field into Build-Depends
-- Emmanuel Bourg <email address hidden> Wed, 21 Dec 2016 00:12:35 +0100
Available diffs
- diff from 2.7.4-1 to 2.8.5-2 (294.8 KiB)
- diff from 2.8.5-1 to 2.8.5-2 (1.4 KiB)
jackson-databind (2.8.5-1) unstable; urgency=medium
* Team upload.
* New upstream release
- Depend on libjackson2-{core,annotations}-java (>= 2.8.5)
* Switch to debhelper level 10
-- Emmanuel Bourg <email address hidden> Thu, 15 Dec 2016 15:56:57 +0100
| Superseded in zesty-release |
| Obsolete in yakkety-release |
| Deleted in yakkety-proposed (Reason: moved to release) |
jackson-databind (2.7.4-1) unstable; urgency=medium * Team upload. * New upstream release * Depend on groovy instead of groovy2 -- Emmanuel Bourg <email address hidden> Fri, 13 May 2016 10:12:03 +0200
Available diffs
- diff from 2.7.3-1 to 2.7.4-1 (25.3 KiB)
jackson-databind (2.7.3-1) unstable; urgency=medium
* Team upload.
* New upstream release
- Refreshed the patch
- Ignore the new test dependencies
- Tightened the dependency on libjackson2-{core,annotations}-java
- Removed the dependency on libcglib3-java
* Standards-Version updated to 3.9.8 (no changes)
* Use secure Vcs-* URLs
-- Emmanuel Bourg <email address hidden> Fri, 08 Apr 2016 15:10:22 +0200
Available diffs
- diff from 2.4.2-3 to 2.7.3-1 (658.9 KiB)
| Superseded in yakkety-release |
| Published in xenial-release |
| Deleted in xenial-proposed (Reason: moved to release) |
jackson-databind (2.4.2-3) unstable; urgency=medium * Team upload. * Transition to Groovy 2 -- Emmanuel Bourg <email address hidden> Fri, 20 Nov 2015 13:06:01 +0100
Available diffs
- diff from 2.4.2-2 to 2.4.2-3 (561 bytes)
| Superseded in xenial-release |
| Obsolete in wily-release |
| Obsolete in vivid-release |
| Deleted in vivid-proposed (Reason: moved to release) |
jackson-databind (2.4.2-2) unstable; urgency=medium * Team upload. * Build depend on libcglib3-java instead of libcglib-java * Standards-Version updated to 3.9.6 (no changes) * Removed the build dependency on libmaven-cobertura-plugin-java -- Emmanuel Bourg <email address hidden> Mon, 29 Sep 2014 16:30:49 +0200
Available diffs
- diff from 2.2.2-2 to 2.4.2-2 (347.8 KiB)
| Superseded in vivid-release |
| Obsolete in utopic-release |
| Deleted in utopic-proposed (Reason: moved to release) |
jackson-databind (2.2.2-2) unstable; urgency=low
* Team upload.
* Update Maven settings to use correct coordinates for Groovy 1.8.x.
(Closes: #750267).
* Bump Standards-Version to 3.9.5. No changes were required.
-- Miguel Landaeta <email address hidden> Mon, 26 May 2014 14:53:06 -0300
Available diffs
- diff from 2.2.2-1 to 2.2.2-2 (812 bytes)
| Superseded in utopic-release |
| Published in trusty-release |
| Deleted in trusty-proposed (Reason: moved to release) |
jackson-databind (2.2.2-1) unstable; urgency=low * Initial release. (Closes: #720504) -- Wolodja Wentland <email address hidden> Thu, 22 Aug 2013 15:24:34 +0000
| 1 → 33 of 33 results | First • Previous • Next • Last |
