jackson-databind (2.8.6-1+deb9u10) stretch-security; urgency=high

  * Team upload.
  * Fix CVE-2020-36518:
     - Fix CVE-2020-36518: Java StackOverflow exception and denial of service
       via a large depth of nested objects.

 -- Markus Koschany <apo@debian.org>  Mon, 02 May 2022 17:34:10 +0200

jackson-databind (2.8.6-1+deb9u9) stretch-security; urgency=high

  * Non-maintainer upload by the LTS team.
  * Add patch to fix:
    - CVE-2020-24616: Block one more gadget type (Anteros-DBCP)
    - CVE-2020-24750: Block one more gadget type
                      (com.pastdev.httpcomponents)
    - CVE-2020-35490 and CVE-2020-35491: Block 2 more gadget
                      types (commons-dbcp2)
    - CVE-2020-35728: Block one more gadget type
                      (org.glassfish.web/javax.servlet.jsp.jstl)
    - CVE-2020-36179, CVE-2020-36180, CVE-2020-36181, and
      CVE-2020-36182: Block some more DBCP-related potential
                      gadget classes
    - CVE-2020-36183: Block one more gadget type
                      (org.docx4j.org.apache:xalan-interpretive)
    - CVE-2020-36184 and CVE-2020-36185: Block 2 more gadget
                      types (org.apache.tomcat/tomcat-dbcp)
    - CVE-2020-36186 and CVE-2020-36187: Block 2 more gadget
                      types (tomcat/naming-factory-dbcp)
    - CVE-2020-36188 and CVE-2020-36189: Block 2 more gadget
                      types (newrelic-agent)
    - CVE-2021-20190: Block one more gadget type (javax.swing)

 -- Utkarsh Gupta <utkarsh@debian.org>  Sun, 25 Apr 2021 00:23:13 +0530

jackson-databind (2.8.6-1+deb9u8) stretch-security; urgency=high

  * CVE-2020-25649: Prevent an external entity expansion vulnerability in the
    DOM serializer.

 -- Chris Lamb <lamby@debian.org>  Wed, 14 Oct 2020 11:15:52 +0100

jackson-databind (2.8.6-1+deb9u7) stretch; urgency=medium

  * Add multiple-CVE-BeanDeserializerFactory.patch and block more classes from
    polymorphic deserialization.
    This fixes 20 CVE that currently affect the package namely,
    CVE-2020-9548, CVE-2020-9547, CVE-2020-9546, CVE-2020-8840, CVE-2020-14195,
    CVE-2020-14062, CVE-2020-14061, CVE-2020-14060, CVE-2020-11620,
    CVE-2020-11619, CVE-2020-11113, CVE-2020-11112, CVE-2020-11111,
    CVE-2020-10969, CVE-2020-10968, CVE-2020-10673, CVE-2020-10672,
    CVE-2019-20330, CVE-2019-17531 and CVE-2019-17267.

 -- Markus Koschany <apo@debian.org>  Thu, 09 Jul 2020 16:42:01 +0200

jackson-databind (2.8.6-1+deb9u6) stretch-security; urgency=high

  * Fix CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, CVE-2019-14439,
    CVE-2019-14540, CVE-2019-16335, CVE-2019-16942 and CVE-2019-16943.
    Several deserialization flaws were discovered in jackson-databind which
    could allow an unauthenticated user to perform code execution. The issue
    was resolved by extending the blacklist and blocking more classes from
    polymorphic deserialization.

 -- Markus Koschany <apo@debian.org>  Sat, 05 Oct 2019 19:21:48 +0200

jackson-databind (2.8.6-1+deb9u5) stretch-security; urgency=high

  * Team upload.
  * Fix CVE-2018-11307, CVE-2018-12022, CVE-2018-12023, CVE-2018-14718,
    CVE-2018-14719, CVE-2018-14720, CVE-2018-14721, CVE-2018-19360,
    CVE-2018-19361, CVE-2018-19362 and CVE-2019-12086.
    Several deserialization flaws were discovered in jackson-databind which
    could allow an unauthenticated user to perform code execution. The issue
    was resolved by extending the blacklist and blocking more classes from
    polymorphic deserialization.

 -- Markus Koschany <apo@debian.org>  Sun, 19 May 2019 00:04:32 +0200

jackson-databind (2.8.6-1+deb9u4) stretch-security; urgency=high

  * Team upload.
  * Fix CVE-2018-7489: allows unauthenticated remote code execution because of
    an incomplete fix for the CVE-2017-7525 deserialization flaw. This is
    exploitable by sending maliciously crafted JSON input to the readValue
    method of the ObjectMapper, bypassing a blacklist that is ineffective if
    the c3p0 libraries are available in the classpath. (Closes: #891614)

 -- Markus Koschany <apo@debian.org>  Tue, 01 May 2018 19:12:38 +0200

jackson-databind (2.8.6-1+deb9u3) stretch-security; urgency=high

  * Team upload.
  * Fix CVE-2017-17485 and CVE-2018-5968:
    Bybass of deserialization blackist to disallow unauthenticated remote code
    execution. These CVE exist due to an incomplete fix for CVE-2017-7525.
    (Closes: #888316, #888318)

 -- Markus Koschany <apo@debian.org>  Sat, 27 Jan 2018 19:12:39 +0100

jackson-databind (2.8.6-1+deb9u2) stretch-security; urgency=high

  * Team upload
  * CVE-2017-15095: incomplete fixes for CVE-2017-7525

 -- Sebastien Delafond <seb@debian.org>  Thu, 16 Nov 2017 08:55:34 +0100

jackson-databind (2.8.6-1+deb9u1) stretch-security; urgency=high

  * Team upload.
  * Fix CVE-2017-7525: Deserialization vulnerability via readValue
    method of ObjectMapper. (Closes: #870848)

 -- Markus Koschany <apo@debian.org>  Wed, 18 Oct 2017 18:30:07 +0200

jackson-databind (2.8.6-1) unstable; urgency=medium

  * Team upload.
  * New upstream release

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 16 Jan 2017 01:49:15 +0100

jackson-databind (2.8.5-2) unstable; urgency=medium

  * Team upload.
  * Added the missing build dependency on build-helper-maven-plugin
    (Closes: #848734)
  * Use maven-replacer-plugin instead of debian/replace-generate.sh
  * Merged the Build-Depends-Indep field into Build-Depends

 -- Emmanuel Bourg <ebourg@apache.org>  Wed, 21 Dec 2016 00:12:35 +0100

jackson-databind (2.8.5-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Depend on libjackson2-{core,annotations}-java (>= 2.8.5)
  * Switch to debhelper level 10

 -- Emmanuel Bourg <ebourg@apache.org>  Thu, 15 Dec 2016 15:56:57 +0100

jackson-databind (2.7.4-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
  * Depend on groovy instead of groovy2

 -- Emmanuel Bourg <ebourg@apache.org>  Fri, 13 May 2016 10:12:03 +0200

jackson-databind (2.7.3-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patch
    - Ignore the new test dependencies
    - Tightened the dependency on libjackson2-{core,annotations}-java
    - Removed the dependency on libcglib3-java
  * Standards-Version updated to 3.9.8 (no changes)
  * Use secure Vcs-* URLs

 -- Emmanuel Bourg <ebourg@apache.org>  Fri, 08 Apr 2016 15:10:22 +0200

jackson-databind (2.4.2-3) unstable; urgency=medium

  * Team upload.
  * Transition to Groovy 2

 -- Emmanuel Bourg <ebourg@apache.org>  Fri, 20 Nov 2015 13:06:01 +0100

jackson-databind (2.4.2-2) unstable; urgency=medium

  * Team upload.
  * Build depend on libcglib3-java instead of libcglib-java
  * Standards-Version updated to 3.9.6 (no changes)
  * Removed the build dependency on libmaven-cobertura-plugin-java

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 29 Sep 2014 16:30:49 +0200

jackson-databind (2.4.2-1) unstable; urgency=medium

  * Team upload.
  * New upstream release.
  * ignoreRules: Ignore replacer.
  * ignoreRules: Ignore release plugin.
  * control: Add libmaven-bundle-plugin to build-deps.
  * fix-using-bundle.diff: Use extensions with bundle plugin.
  * maven.{publishedR,r}ules: Fix version mangling.
  * control: Bump dependency on -core and -annotations.
  * properties: Set encoding to UTF-8.
  * control: Add libmaven-cobertura-plugin-java to build-depends.

 -- Timo Aaltonen <tjaalton@debian.org>  Wed, 24 Sep 2014 17:14:02 +0300

jackson-databind (2.2.2-2) unstable; urgency=low

  * Team upload.
  * Update Maven settings to use correct coordinates for Groovy 1.8.x.
    (Closes: #750267).
  * Bump Standards-Version to 3.9.5. No changes were required.

 -- Miguel Landaeta <nomadium@debian.org>  Mon, 26 May 2014 14:53:06 -0300

jackson-databind (2.2.2-1) unstable; urgency=low

  * Initial release. (Closes: #720504)

 -- Wolodja Wentland <debian@babilen5.org>  Thu, 22 Aug 2013 15:24:34 +0000
