Bug#870848: marked as done (jackson-databind: CVE-2017-7525: Deserialization vulnerability via readValue method of ObjectMapper)
Your message dated Sat, 18 Nov 2017 22:19:00 + with message-idand subject line Bug#870848: fixed in jackson-databind 2.4.2-2+deb8u1 has caused the Debian Bug report #870848, regarding jackson-databind: CVE-2017-7525: Deserialization vulnerability via readValue method of ObjectMapper to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 870848: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870848 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: jackson-databind Version: 2.8.6-1 Severity: grave Tags: security upstream Forwarded: https://github.com/FasterXML/jackson-databind/issues/1599 Hi, the following vulnerability was published for jackson-databind. CVE-2017-7525[0]: Deserialization vulnerability via readValue method of ObjectMapper If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. Upstream tracking is at [2]. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-7525 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7525 [1] https://github.com/FasterXML/jackson-databind/issues/1599 [2] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7525 Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: jackson-databind Source-Version: 2.4.2-2+deb8u1 We believe that the bug you reported is fixed in the latest version of jackson-databind, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 870...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany (supplier of updated jackson-databind package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Thu, 19 Oct 2017 01:44:42 +0200 Source: jackson-databind Binary: libjackson2-databind-java libjackson2-databind-java-doc Architecture: source all Version: 2.4.2-2+deb8u1 Distribution: jessie-security Urgency: high Maintainer: Debian Java Maintainers Changed-By: Markus Koschany Description: libjackson2-databind-java - fast and powerful JSON library for Java -- data binding libjackson2-databind-java-doc - Documentation for jackson-databind Closes: 870848 Changes: jackson-databind (2.4.2-2+deb8u1) jessie-security; urgency=high . * Team upload. * Fix CVE-2017-7525: Deserialization vulnerability via readValue method of ObjectMapper. (Closes: #870848) Checksums-Sha1: bed1c6ec546555eb0e49ccaea6857242ef849cf3 2688 jackson-databind_2.4.2-2+deb8u1.dsc aaec538f967e8cd0bbff405eef753d10ba2df664 851898 jackson-databind_2.4.2.orig.tar.gz 1ae7f0fdae862453a3f0ae6f76f13c053a87e59e 6220 jackson-databind_2.4.2-2+deb8u1.debian.tar.xz 95e9a700283eb51c8032018f4986828350058395 985394 libjackson2-databind-java_2.4.2-2+deb8u1_all.deb a879aefe50adfc4823b1d076edef6fc016cdfcab 4749164 libjackson2-databind-java-doc_2.4.2-2+deb8u1_all.deb Checksums-Sha256: 8160da76d47ac9d45241761140b61cc26e9dd071a36e8614250764b473634dfd 2688 jackson-databind_2.4.2-2+deb8u1.dsc 06d8378c6ab40aca83354acf625969801e014a447756ad07e16365925ddf3aa1 851898 jackson-databind_2.4.2.orig.tar.gz 565f027fdb76103557f7e34236c269fa52459c32bc9174eeadbf5d30e0e84230 6220 jackson-databind_2.4.2-2+deb8u1.debian.tar.xz aec403bf86dd9d1c02ba956518fd64c5ed9b8c4df9ee3bae9f4edc205fa5 985394 libjackson2-databind-java_2.4.2-2+deb8u1_all.deb 088dd770a71d875faaee183ad9f7c7e5e9c5ffbd66bdd8432225971b47274edb 4749164 libjackson2-databind-java-doc_2.4.2-2+deb8u1_all.deb Files: 659b09d354809dc185c3cea754e24703 2688 java optional jackson-databind_2.4.2-2+deb8u1.dsc a3cef86907e85f401571db6d5d5ae358 851898 java optional jackson-databind_2.4.2.orig.tar.gz b0b2c0c073904b9299d50f6e62272912 6220 java optional jackson-databind_2.4.2-2+deb8u1.debian.tar.xz b71da66cc63df8ec0ad08a551fa02958 985394 java optional libjackson2-databind-java_2.4.2-2+deb8u1_all.deb 422670e2acd0adb48667c8cd7dd38568 4749164 doc optional libjackson2-databind-java-doc_2.4.2-2+deb8u1_all.deb
Bug#870848: marked as done (jackson-databind: CVE-2017-7525: Deserialization vulnerability via readValue method of ObjectMapper)
Your message dated Sun, 12 Nov 2017 15:33:07 + with message-idand subject line Bug#870848: fixed in jackson-databind 2.8.6-1+deb9u1 has caused the Debian Bug report #870848, regarding jackson-databind: CVE-2017-7525: Deserialization vulnerability via readValue method of ObjectMapper to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 870848: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870848 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: jackson-databind Version: 2.8.6-1 Severity: grave Tags: security upstream Forwarded: https://github.com/FasterXML/jackson-databind/issues/1599 Hi, the following vulnerability was published for jackson-databind. CVE-2017-7525[0]: Deserialization vulnerability via readValue method of ObjectMapper If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. Upstream tracking is at [2]. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-7525 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7525 [1] https://github.com/FasterXML/jackson-databind/issues/1599 [2] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7525 Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: jackson-databind Source-Version: 2.8.6-1+deb9u1 We believe that the bug you reported is fixed in the latest version of jackson-databind, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 870...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany (supplier of updated jackson-databind package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Wed, 18 Oct 2017 18:30:07 +0200 Source: jackson-databind Binary: libjackson2-databind-java libjackson2-databind-java-doc Architecture: source all Version: 2.8.6-1+deb9u1 Distribution: stretch-security Urgency: high Maintainer: Debian Java Maintainers Changed-By: Markus Koschany Description: libjackson2-databind-java - fast and powerful JSON library for Java -- data binding libjackson2-databind-java-doc - Documentation for jackson-databind Closes: 870848 Changes: jackson-databind (2.8.6-1+deb9u1) stretch-security; urgency=high . * Team upload. * Fix CVE-2017-7525: Deserialization vulnerability via readValue method of ObjectMapper. (Closes: #870848) Checksums-Sha1: 6e7bef8316e74076da326edd510ffcd282eb7545 2694 jackson-databind_2.8.6-1+deb9u1.dsc 722ce2f73837560d20eeafdc1c8223a36fb74726 738780 jackson-databind_2.8.6.orig.tar.xz ae6630aafd8f7f519ab8b0c3c2866c2310305a2d 5788 jackson-databind_2.8.6-1+deb9u1.debian.tar.xz be378f0817282acb9960657ed89f25e87215c2e3 16408 jackson-databind_2.8.6-1+deb9u1_amd64.buildinfo e8121cf29945007216e65def21459c0254160afb 1228478 libjackson2-databind-java-doc_2.8.6-1+deb9u1_all.deb a0b3b468ab115da5674086bc63c39f5fbd93cf12 1153740 libjackson2-databind-java_2.8.6-1+deb9u1_all.deb Checksums-Sha256: c16f4c2fc44e9500e666dc470b9c1186fa6ab683bacf7d508b5132b9b4923e52 2694 jackson-databind_2.8.6-1+deb9u1.dsc 1c2edb33da5ad8baafb4b291872f885ee1cfc773683288bd514a19aa19c639d1 738780 jackson-databind_2.8.6.orig.tar.xz 4845ddc9d699d9e519a81d8018be0208da886c3e43ab284b5a187fcfa2615942 5788 jackson-databind_2.8.6-1+deb9u1.debian.tar.xz 825916430eecdc0c7f0d8dd747d417f48b9f034714a2dc21d2f2b76b067ade9a 16408 jackson-databind_2.8.6-1+deb9u1_amd64.buildinfo f45eeb19c6fff6bf8d8ad254b4a7f2b8d8991863072b3e892bad3c452de4c9fb 1228478 libjackson2-databind-java-doc_2.8.6-1+deb9u1_all.deb fcf080e5d4c68b2ba9c3e15100977f54af64b37e479eba8766773e6ba386cd96 1153740 libjackson2-databind-java_2.8.6-1+deb9u1_all.deb Files: 55e34f37df236fb186b496f998f1c22a 2694 java optional jackson-databind_2.8.6-1+deb9u1.dsc 399c2e0e54a1c8e34261f42e29bc1c6e 738780 java optional jackson-databind_2.8.6.orig.tar.xz 05a2bcf103ae8258be1ef78586e4b256 5788 java optional jackson-databind_2.8.6-1+deb9u1.debian.tar.xz
Bug#870848: marked as done (jackson-databind: CVE-2017-7525: Deserialization vulnerability via readValue method of ObjectMapper)
Your message dated Wed, 11 Oct 2017 23:19:05 + with message-idand subject line Bug#870848: fixed in jackson-databind 2.9.1-1 has caused the Debian Bug report #870848, regarding jackson-databind: CVE-2017-7525: Deserialization vulnerability via readValue method of ObjectMapper to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 870848: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=870848 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: jackson-databind Version: 2.8.6-1 Severity: grave Tags: security upstream Forwarded: https://github.com/FasterXML/jackson-databind/issues/1599 Hi, the following vulnerability was published for jackson-databind. CVE-2017-7525[0]: Deserialization vulnerability via readValue method of ObjectMapper If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. Upstream tracking is at [2]. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-7525 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7525 [1] https://github.com/FasterXML/jackson-databind/issues/1599 [2] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7525 Please adjust the affected versions in the BTS as needed. Regards, Salvatore --- End Message --- --- Begin Message --- Source: jackson-databind Source-Version: 2.9.1-1 We believe that the bug you reported is fixed in the latest version of jackson-databind, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 870...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany (supplier of updated jackson-databind package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Thu, 12 Oct 2017 00:31:43 +0200 Source: jackson-databind Binary: libjackson2-databind-java libjackson2-databind-java-doc Architecture: source Version: 2.9.1-1 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers Changed-By: Markus Koschany Description: libjackson2-databind-java - fast and powerful JSON library for Java -- data binding libjackson2-databind-java-doc - Documentation for jackson-databind Closes: 870848 875411 Changes: jackson-databind (2.9.1-1) unstable; urgency=medium . * Team upload. * New upstream version 2.9.1. - Fixes CVE-2017-7525: Deserialization vulnerability via readValue method of ObjectMapper (Closes: #870848) - Builds fine with Java 9. (Closes: #875411) * Declare compliance with Debian Policy 4.1.1. * Tighten B-D on jackson-core and jackson-annotations. * Add libmaven-shade-plugin-java to B-D. Checksums-Sha1: 88e2d48d329c7daec8859ac154414d6e83b412b9 2697 jackson-databind_2.9.1-1.dsc 7454b681b36301a4a45e6d688a509bb662e290fa 1217778 jackson-databind_2.9.1.orig.tar.gz 0953ecf97a8df7b6c6b5126087db6d4f24804c91 4176 jackson-databind_2.9.1-1.debian.tar.xz 7dd729dceeb837c5286f4d895e35c1649f9cce15 16953 jackson-databind_2.9.1-1_amd64.buildinfo Checksums-Sha256: ba34530ca1ed7b5aeaf04f8ec345959c1ce8e9a3cb07e20db72837572eb89748 2697 jackson-databind_2.9.1-1.dsc 515200c897d1a1d1ce8bbb3f6abe9957b9ce8ebbb58f81115efedff38c5cb90b 1217778 jackson-databind_2.9.1.orig.tar.gz 16780621f5295ef58afa5d5ef8583e43219fcf47dd0bf7a5fee4bf2b0efb8b29 4176 jackson-databind_2.9.1-1.debian.tar.xz 2bd1a43b576671339725070523ec927cc3697f58154362740f88b4c5089515b6 16953 jackson-databind_2.9.1-1_amd64.buildinfo Files: 8a0d0b3d7b4ee25fab1630ad643eb38a 2697 java optional jackson-databind_2.9.1-1.dsc ab01ec1139e393133ade4822084316c2 1217778 java optional jackson-databind_2.9.1.orig.tar.gz e1b455e8c35075603d38fba7702b4641 4176 java optional jackson-databind_2.9.1-1.debian.tar.xz 5dcf2095f42728a073fe652381805b45 16953 java optional jackson-databind_2.9.1-1_amd64.buildinfo -BEGIN PGP SIGNATURE- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlneoG5fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD