-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 18 May 2019 20:31:28 +0200
Source: jackson-databind
Architecture: source
Version: 2.9.8-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<pkg-java-maintain...@lists.alioth.debian.org>
Changed-By: Markus Koschany <a...@debian.org>
Closes: 929177
Changes:
jackson-databind (2.9.8-2) unstable; urgency=medium
.
* Team upload.
* Fix CVE-2019-12086:
A Polymorphic Typing issue was discovered in jackson-databind. When
Default Typing is enabled (either globally or for a specific property) for
an externally exposed JSON endpoint, the service has the
mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an
attacker can host a crafted MySQL server reachable by the victim, an
attacker can send a crafted JSON message that allows them to read arbitrary
local files on the server. This occurs because of missing
com.mysql.cj.jdbc.admin.MiniAdmin validation. (Closes: #929177)
Checksums-Sha1:
c13dc3920b11e340e9081f4c8df29cff6e911872 2679 jackson-databind_2.9.8-2.dsc
8a50b57f35f4c0be11e86bfce69f165db7c5dce5 5216
jackson-databind_2.9.8-2.debian.tar.xz
a9932dfc1be864be25c7cba97db94ac17dc2cb60 17509
jackson-databind_2.9.8-2_amd64.buildinfo
Checksums-Sha256:
9278bb6b692204a40ad3883dac8b6824a74ea4d2424879bc06f1e58a005413c2 2679
jackson-databind_2.9.8-2.dsc
f0a081e41a648b4a1758b104445138de7a4811a24a894cee225359ae15cfd4cf 5216
jackson-databind_2.9.8-2.debian.tar.xz
701ac7a7394abf4b6ea06dc77a589251778aa13ff79e6df02f61691410da954f 17509
jackson-databind_2.9.8-2_amd64.buildinfo
Files:
db750732df8f06d27c2c6593a2e4e7c8 2679 java optional
jackson-databind_2.9.8-2.dsc
8527c10639efc53df67d75d5d9c28a9f 5216 java optional
jackson-databind_2.9.8-2.debian.tar.xz
a7e1b5b95bb766498b794e907c63d3dd 17509 java optional
jackson-databind_2.9.8-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlzgUeBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkTScP/0Z7ardXVY2FCIvWX7RKwnjw4565uv8LittD
6SCxAeT8x6TZohXwUmO21is0fFvuOh/h4msuAZ1CKc9tJK+jYgW6LbHBDh16rGO0
hIQDnqOE9bl9uKK1iaCBGyKf54/xtZlun93NOotfyD544gzN1Bo8ZDeOqvIOewkI
Pz0PAPAlhWBUcyRs9Owo6WijmHntGTtjAPgnnLA7MBPzAhKaqAWOBnuktnGvo1rB
UOb5QQLS2LVdUsVdpY0oZGvdefhNKU+JMpck0HUG6YKL4yXm7MI5e/UQPYt+uKSw
8s/T0728DUtzyhi58Iae8Zet6SVhDf1+jiprLyeGurB6ztXPTLB7t7ldTUrNvSp+
gQFU03Zvdc/LAxMSghUroeNOC2JiK7TARlhWvNkSYuOZe8e0y+P7Pf8z7QntAYtA
DyRO23+hJ7NfO3Ac6ELS3AtwOxoCFnlusJUp3HobfwALiXyO7vm7HsHw3qJPDWgw
WEbfo3pPnYdglEOOjTkWcxvQzHsWu6I2IwmhjPuCIM+pZArt6f7e3V+A4IFfN2SU
Q4QaEa8ZxnWglkxlIMKdyudFV2/YoXaaAVwNBwNAtXUbr3Inmat8eap8niDr3B9S
55KpRJ8vZIQHdEOIFplgKQDNbxRJytfCkaFyvBwCz1WDEbMKza+JPoj36MFYpyiZ
omUTjkPh
=CgSw
-----END PGP SIGNATURE-----
