On Thu, Jan 25, 2018 at 02:40:10PM +0100, Markus Koschany wrote:
> On Wed, 24 Jan 2018 23:02:44 +0100 Salvatore Bonaccorso
> <car...@debian.org> wrote:
> > Source: jackson-databind
> > Version: 2.9.1-1
> > Severity: grave
> > Tags: patch security upstream
> > Forwarded: https://github.com/FasterXML/jackson-databind/issues/1899
> > Control: found -1 2.8.6-1+deb9u2
> > Control: found -1 2.4.2-2+deb8u2
> > Hi,
> > the following vulnerability was published for jackson-databind.
> Thanks for reporting. I had a look at jackson-databind in Stretch. We
> just need to apply the patch to BeanDeserializerFactory.java again. As
> for Sid upgrading to the latest upstream release 2.9.4 should also
> resolve this. I'm working on it now.
Perfect, thank you! We (Moritz) have added it to the dsa-needed list
for jessie and stretch, so once you have the update can you contact
the security team alias, one of us will then ack the upload.
This is the maintainer address of Debian's Java team
debian-j...@lists.debian.org for discussions and questions.