Your message dated Sun, 12 Nov 2017 15:33:07 +0000 with message-id <e1edufv-000fat...@fasolo.debian.org> and subject line Bug#870848: fixed in jackson-databind 2.8.6-1+deb9u1 has caused the Debian Bug report #870848, regarding jackson-databind: CVE-2017-7525: Deserialization vulnerability via readValue method of ObjectMapper to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 870848: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870848 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: jackson-databind Version: 2.8.6-1 Severity: grave Tags: security upstream Forwarded: https://github.com/FasterXML/jackson-databind/issues/1599 Hi, the following vulnerability was published for jackson-databind. CVE-2017-7525[0]: Deserialization vulnerability via readValue method of ObjectMapper If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. Upstream tracking is at [2]. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-7525 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7525 [1] https://github.com/FasterXML/jackson-databind/issues/1599 [2] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7525 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: jackson-databind Source-Version: 2.8.6-1+deb9u1 We believe that the bug you reported is fixed in the latest version of jackson-databind, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 870...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated jackson-databind package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 18 Oct 2017 18:30:07 +0200 Source: jackson-databind Binary: libjackson2-databind-java libjackson2-databind-java-doc Architecture: source all Version: 2.8.6-1+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: libjackson2-databind-java - fast and powerful JSON library for Java -- data binding libjackson2-databind-java-doc - Documentation for jackson-databind Closes: 870848 Changes: jackson-databind (2.8.6-1+deb9u1) stretch-security; urgency=high . * Team upload. * Fix CVE-2017-7525: Deserialization vulnerability via readValue method of ObjectMapper. (Closes: #870848) Checksums-Sha1: 6e7bef8316e74076da326edd510ffcd282eb7545 2694 jackson-databind_2.8.6-1+deb9u1.dsc 722ce2f73837560d20eeafdc1c8223a36fb74726 738780 jackson-databind_2.8.6.orig.tar.xz ae6630aafd8f7f519ab8b0c3c2866c2310305a2d 5788 jackson-databind_2.8.6-1+deb9u1.debian.tar.xz be378f0817282acb9960657ed89f25e87215c2e3 16408 jackson-databind_2.8.6-1+deb9u1_amd64.buildinfo e8121cf29945007216e65def21459c0254160afb 1228478 libjackson2-databind-java-doc_2.8.6-1+deb9u1_all.deb a0b3b468ab115da5674086bc63c39f5fbd93cf12 1153740 libjackson2-databind-java_2.8.6-1+deb9u1_all.deb Checksums-Sha256: c16f4c2fc44e9500e666dc470b9c1186fa6ab683bacf7d508b5132b9b4923e52 2694 jackson-databind_2.8.6-1+deb9u1.dsc 1c2edb33da5ad8baafb4b291872f885ee1cfc773683288bd514a19aa19c639d1 738780 jackson-databind_2.8.6.orig.tar.xz 4845ddc9d699d9e519a81d8018be0208da886c3e43ab284b5a187fcfa2615942 5788 jackson-databind_2.8.6-1+deb9u1.debian.tar.xz 825916430eecdc0c7f0d8dd747d417f48b9f034714a2dc21d2f2b76b067ade9a 16408 jackson-databind_2.8.6-1+deb9u1_amd64.buildinfo f45eeb19c6fff6bf8d8ad254b4a7f2b8d8991863072b3e892bad3c452de4c9fb 1228478 libjackson2-databind-java-doc_2.8.6-1+deb9u1_all.deb fcf080e5d4c68b2ba9c3e15100977f54af64b37e479eba8766773e6ba386cd96 1153740 libjackson2-databind-java_2.8.6-1+deb9u1_all.deb Files: 55e34f37df236fb186b496f998f1c22a 2694 java optional jackson-databind_2.8.6-1+deb9u1.dsc 399c2e0e54a1c8e34261f42e29bc1c6e 738780 java optional jackson-databind_2.8.6.orig.tar.xz 05a2bcf103ae8258be1ef78586e4b256 5788 java optional jackson-databind_2.8.6-1+deb9u1.debian.tar.xz 1a9153951ee593c567e5f919eb9779c9 16408 java optional jackson-databind_2.8.6-1+deb9u1_amd64.buildinfo 1daa36599a40c4ec43edffa52051d1e1 1228478 doc optional libjackson2-databind-java-doc_2.8.6-1+deb9u1_all.deb cc9e6655aa67cf36bddd8ce249bd9650 1153740 java optional libjackson2-databind-java_2.8.6-1+deb9u1_all.deb -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlnopCJfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkqnYP/1RtO9mSE0O9xRvmJmPUTa2EjIxogmUJVNSX d4vu8FWPQxg+UmIjNKoJYGmiehirEHOyxXT4P/k0efHzd4IJyIwwW04svcK2pVe5 FI0Tld+eBHKYx+zW0I4/Wn9PiYcO+3LA5CaMW4Xl3Np/fmenZi2u/2bQBgD1Eo3C ozyLWw9lyc5jKK4eDgIGTNte812NLgFejRELjWjtx6LRsCNPMH6QK8XPmJ91BrcM Buok9DqbmBHJSQQsTfHSqp3eDoi04y1fwNnJ27hZx0izwadYaonevB+qyeocQJ+g f7jwfot8VRtxt9dYZEELaFApJ/r04XKLs1zeyLIBmwWZw1VArL244DOIVDypkRaD EX9M3MQH55YBit4gNRJ58j9v2oOK0j+dk9Wdd1+odFVyF2IVrtyL+w6glptivbdF BaXIoZUQvIa2dN1bd9iGc/aYMGOE2fx48UdVeSgsedIoJcovYPV0fhJDovFc9bCh p93M6DG2HLYtR87aTDprMRds5HvlbuYpOY6RYe19Dp9qelgMGk87j38eRmAtftFr Ln9KNulX1IdBkTi6/bf+NKKuyD3s9LP+NbLkBHK8mVRbXVZdoUdDBcaj1h1UVPKG K+f9B0UdxEwaSoxYzvzG5mrWd1hSH9UvP3dZaHTb+YIro/ORe5kPJ1wNDwucxmTr fIOiFeby =9gDD -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
