Hi Markus,

On Thu, Jan 25, 2018 at 02:40:10PM +0100, Markus Koschany wrote:
> Hi,
> 
> On Wed, 24 Jan 2018 23:02:44 +0100 Salvatore Bonaccorso
> <car...@debian.org> wrote:
> > Source: jackson-databind
> > Version: 2.9.1-1
> > Severity: grave
> > Tags: patch security upstream
> > Forwarded: https://github.com/FasterXML/jackson-databind/issues/1899
> > Control: found -1 2.8.6-1+deb9u2
> > Control: found -1 2.4.2-2+deb8u2
> > 
> > Hi,
> > 
> > the following vulnerability was published for jackson-databind.
> 
> [...]
> 
> Thanks for reporting. I had a look at jackson-databind in Stretch. We
> just need to apply the patch to BeanDeserializerFactory.java again. As
> for Sid upgrading to the latest upstream release 2.9.4 should also
> resolve this. I'm working on it now.

Perfect, thank you! We (Moritz) have added it to the dsa-needed list
for jessie and stretch, so once you have the update can you contact
the security team alias, one of us will then ack the upload.

Regards,
Salvatore

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to