Hi Markus, On Thu, Jan 25, 2018 at 02:40:10PM +0100, Markus Koschany wrote: > Hi, > > On Wed, 24 Jan 2018 23:02:44 +0100 Salvatore Bonaccorso > <car...@debian.org> wrote: > > Source: jackson-databind > > Version: 2.9.1-1 > > Severity: grave > > Tags: patch security upstream > > Forwarded: https://github.com/FasterXML/jackson-databind/issues/1899 > > Control: found -1 2.8.6-1+deb9u2 > > Control: found -1 2.4.2-2+deb8u2 > > > > Hi, > > > > the following vulnerability was published for jackson-databind. > > [...] > > Thanks for reporting. I had a look at jackson-databind in Stretch. We > just need to apply the patch to BeanDeserializerFactory.java again. As > for Sid upgrading to the latest upstream release 2.9.4 should also > resolve this. I'm working on it now.
Perfect, thank you! We (Moritz) have added it to the dsa-needed list for jessie and stretch, so once you have the update can you contact the security team alias, one of us will then ack the upload. Regards, Salvatore