Your message dated Sat, 18 Nov 2017 22:19:00 +0000 with message-id <e1egbs0-0005u9...@fasolo.debian.org> and subject line Bug#870848: fixed in jackson-databind 2.4.2-2+deb8u1 has caused the Debian Bug report #870848, regarding jackson-databind: CVE-2017-7525: Deserialization vulnerability via readValue method of ObjectMapper to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 870848: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870848 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: jackson-databind Version: 2.8.6-1 Severity: grave Tags: security upstream Forwarded: https://github.com/FasterXML/jackson-databind/issues/1599 Hi, the following vulnerability was published for jackson-databind. CVE-2017-7525[0]: Deserialization vulnerability via readValue method of ObjectMapper If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. Upstream tracking is at [2]. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-7525 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7525 [1] https://github.com/FasterXML/jackson-databind/issues/1599 [2] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7525 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: jackson-databind Source-Version: 2.4.2-2+deb8u1 We believe that the bug you reported is fixed in the latest version of jackson-databind, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 870...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated jackson-databind package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 19 Oct 2017 01:44:42 +0200 Source: jackson-databind Binary: libjackson2-databind-java libjackson2-databind-java-doc Architecture: source all Version: 2.4.2-2+deb8u1 Distribution: jessie-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: libjackson2-databind-java - fast and powerful JSON library for Java -- data binding libjackson2-databind-java-doc - Documentation for jackson-databind Closes: 870848 Changes: jackson-databind (2.4.2-2+deb8u1) jessie-security; urgency=high . * Team upload. * Fix CVE-2017-7525: Deserialization vulnerability via readValue method of ObjectMapper. (Closes: #870848) Checksums-Sha1: bed1c6ec546555eb0e49ccaea6857242ef849cf3 2688 jackson-databind_2.4.2-2+deb8u1.dsc aaec538f967e8cd0bbff405eef753d10ba2df664 851898 jackson-databind_2.4.2.orig.tar.gz 1ae7f0fdae862453a3f0ae6f76f13c053a87e59e 6220 jackson-databind_2.4.2-2+deb8u1.debian.tar.xz 95e9a700283eb51c8032018f4986828350058395 985394 libjackson2-databind-java_2.4.2-2+deb8u1_all.deb a879aefe50adfc4823b1d076edef6fc016cdfcab 4749164 libjackson2-databind-java-doc_2.4.2-2+deb8u1_all.deb Checksums-Sha256: 8160da76d47ac9d45241761140b61cc26e9dd071a36e8614250764b473634dfd 2688 jackson-databind_2.4.2-2+deb8u1.dsc 06d8378c6ab40aca83354acf625969801e014a447756ad07e16365925ddf3aa1 851898 jackson-databind_2.4.2.orig.tar.gz 565f027fdb76103557f7e34236c269fa52459c32bc9174eeadbf5d30e0e84230 6220 jackson-databind_2.4.2-2+deb8u1.debian.tar.xz aec403bf86dd9d1c02ba956518fd64c5dddded9b8c4df9ee3bae9f4edc205fa5 985394 libjackson2-databind-java_2.4.2-2+deb8u1_all.deb 088dd770a71d875faaee183ad9f7c7e5e9c5ffbd66bdd8432225971b47274edb 4749164 libjackson2-databind-java-doc_2.4.2-2+deb8u1_all.deb Files: 659b09d354809dc185c3cea754e24703 2688 java optional jackson-databind_2.4.2-2+deb8u1.dsc a3cef86907e85f401571db6d5d5ae358 851898 java optional jackson-databind_2.4.2.orig.tar.gz b0b2c0c073904b9299d50f6e62272912 6220 java optional jackson-databind_2.4.2-2+deb8u1.debian.tar.xz b71da66cc63df8ec0ad08a551fa02958 985394 java optional libjackson2-databind-java_2.4.2-2+deb8u1_all.deb 422670e2acd0adb48667c8cd7dd38568 4749164 doc optional libjackson2-databind-java-doc_2.4.2-2+deb8u1_all.deb -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlno6DtfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkN6sP/R5OmelgmwfHqdY/uxRgYiShd07PLp5Ej1Hw iJQkhbM9GmDLCWyPWaS+YVCLqYKW6RVr5AtiNhTZZ1Ir4Oq0yEQB8mukc2BL+sjj Aa33AVIUOIn2lp5x+rZIu5lEAhutzcqJszhzbhTfp+3Sni7kFQs4OfYOWH8VcCjL x0Z7RoSUmnqJwpHBnn9Z7OM2t9IBA3PopAUMPNOaRGAn1Vlm3lMt5LaI7mCsErKL +Z6rdOwDjs3Xf8wzdmCeB1PuePQkPL7iEIANSzZmUXkmFLwghRj466pyq4/AtuKA kDfEIXb5ftzlzsMbx6CNeFJb1u3bDszOttRoZ2GviSeqjdHsHy4A87+7dCL4jsUA BI0ofNCCEqL68Tz0bA2NZiUucKpKp7n0NpVd15kSIIQ5cPt/iUqjD0ETe7SIHsD4 +DNZ/v+acSL27QXPQNcaRVOOELQnn0Ci6oXr34C7qDXKhoQtwgEAE6soRfU5DMnR 8hq7aWzn0Hbp3MCUesBZ8g4VHpV0M6oqjBxzcaI2HrJFSNsrohXwFNUfZxQkV+z7 gb9PTdCTaF0ocO1XrEw6H0W7warKmMbXlMrBNwscquSFZZz2HblhIasCN93dEmi3 BjOieGkpEoWGDYC7TxmtALfM8Yp0kvRe30fBeGr2v9tWvlXNsZAeDUg12C6Ox0eK kedvQKwv =nf5x -----END PGP SIGNATURE-----
--- End Message ---
