jackson-databind (2.14.0+ds-1) unstable; urgency=medium

  * Team upload.
  * Use java_compat_level from /usr/share/java/java_defaults.mk to set the
    target compiled classes version. (Closes: #1088270)
  * Promote Standards-Version to 4.7.0 without changes.
  * Repack sources without newly excluded files and update configuration for
    importing new releases.

 -- Julien Plissonneau Duquène <sre4ever@free.fr>  Tue, 26 Nov 2024 17:34:44 +0000

jackson-databind (2.14.0-1) unstable; urgency=medium

  * New upstream version 2.14.0.
    - Fix CVE-2022-42003:
      Resource exhaustion can occur because of a lack of a check in primitive
      value deserializers to avoid deep wrapper array nesting, when the
      UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
    - Fix CVE-2022-42004:
      Resource exhaustion can occur because of a lack of a check in
      BeanDeserializer._deserializeFromArray to prevent use of deeply nested
      arrays. An application is vulnerable only with certain customized choices
      for deserialization.
  * Declare compliance with Debian Policy 4.6.1.

 -- Markus Koschany <apo@debian.org>  Fri, 11 Nov 2022 23:19:39 +0100

jackson-databind (2.13.2.2-1) unstable; urgency=medium

  * New upstream version 2.13.2.2.
    - Fix CVE-2020-36518: Java StackOverflow exception and denial of service
      via a large depth of nested objects. (Closes: #1007109)
      Thanks to Neil Williams for the report.

 -- Markus Koschany <apo@debian.org>  Sat, 30 Apr 2022 14:05:08 +0200

jackson-databind (2.13.0-2) unstable; urgency=medium

  * Drop all doc packages from Build-Depends.
  * Update debian/watch.

 -- Markus Koschany <apo@debian.org>  Thu, 04 Nov 2021 10:28:57 +0100

jackson-databind (2.13.0-1) unstable; urgency=medium

  * New upstream version 2.13.0.

 -- Markus Koschany <apo@debian.org>  Fri, 22 Oct 2021 12:58:08 +0200

jackson-databind (2.12.5-1) unstable; urgency=medium

  * New upstream version 2.12.5.
  * Declare compliance with Debian Policy 4.6.0.

 -- Markus Koschany <apo@debian.org>  Tue, 07 Sep 2021 10:09:57 +0200

jackson-databind (2.12.1-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patch
    - Depend on libjackson2-annotations-java (>= 2.12.1)
  * Standards-Version updated to 4.5.1

 -- Emmanuel Bourg <ebourg@apache.org>  Sun, 17 Jan 2021 23:46:32 +0100

jackson-databind (2.11.1-1) unstable; urgency=medium

  * New upstream version 2.11.1.
    - Exclude the javadocs from the source tarball because they require more
      than 500 MB disk space.
    - Fixes CVE-2020-9548, CVE-2020-9547, CVE-2020-9546, CVE-2020-8840,
      CVE-2020-14195, CVE-2020-14062, CVE-2020-14061, CVE-2020-14060,
      CVE-2020-11620, CVE-2020-11619, CVE-2020-11113, CVE-2020-11112,
      CVE-2020-11111, CVE-2020-10969, CVE-2020-10968, CVE-2020-10673,
      CVE-2020-10672.
  * Switch to debhelper-compat = 13.
  * Refresh base-pom.patch.
  * Remove README.source.

 -- Markus Koschany <apo@debian.org>  Thu, 09 Jul 2020 13:53:55 +0200

jackson-databind (2.10.2-1) unstable; urgency=medium

  * New upstream version 2.10.2.
  * Declare compliance with Debian Policy 4.5.0.

 -- Markus Koschany <apo@debian.org>  Sun, 16 Feb 2020 14:27:13 +0100

jackson-databind (2.10.1-1) unstable; urgency=medium

  * New upstream version 2.10.1.
  * Drop CVE-2019-16942-and-CVE-2019-16943.patch. Fixed upstream.

 -- Markus Koschany <apo@debian.org>  Sun, 15 Dec 2019 16:07:37 +0100

jackson-databind (2.10.0-2) unstable; urgency=high

  * Fix CVE-2019-16942 and CVE-2019-16943.
    Block two more gadget types (commons-dbcp, p6spy). (Closes: #941530)

 -- Markus Koschany <apo@debian.org>  Thu, 03 Oct 2019 15:48:58 +0200

jackson-databind (2.10.0-1) unstable; urgency=medium

  * Team upload.
  * New upstream version 2.10.0.
    -Fix CVE-2019-14540 and CVE-2019-16335: Polymorphic Typing issues.
    (Closes: #940498) Thanks to Salvatore Bonaccorso for the report.
  * Declare compliance with Debian Policy 4.4.1.
  * Update base-pom.patch for new release.
  * Remove Wolodja Wentland from Uploaders. Add myself to it. (Closes: #898140)

 -- Markus Koschany <apo@debian.org>  Sun, 29 Sep 2019 21:51:57 +0200

jackson-databind (2.9.9.3-1) unstable; urgency=medium

  * Team upload.
  * New upstream version 2.9.9.3.
    - Fix CVE-2019-14439 and CVE-2019-14379. Thanks to Salvatore Bonaccorso for
      the report. (Closes: #933393)
  * Drop all patches. These are all part of the latest upstream release.
  * Switch to debhelper-compat = 12.
  * Declare compliance with Debian Policy 4.4.0.

 -- Markus Koschany <apo@debian.org>  Tue, 13 Aug 2019 00:26:52 +0200

jackson-databind (2.9.8-3) unstable; urgency=medium

  * Team upload.
  * Fix CVE-2019-12814 and CVE-2019-12384:
    More Polymorphic Typing issues were discovered in jackson-databind. When
    Default Typing is enabled (either globally or for a specific property) for
    an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x or
    logback-core jar in the classpath, an attacker can send a specifically
    crafted JSON message that allows them to read arbitrary local files on the
    server. (Closes: #930750)

 -- Markus Koschany <apo@debian.org>  Sat, 22 Jun 2019 00:28:48 +0200

jackson-databind (2.9.8-2) unstable; urgency=medium

  * Team upload.
  * Fix CVE-2019-12086:
    A Polymorphic Typing issue was discovered in jackson-databind. When
    Default Typing is enabled (either globally or for a specific property) for
    an externally exposed JSON endpoint, the service has the
    mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an
    attacker can host a crafted MySQL server reachable by the victim, an
    attacker can send a crafted JSON message that allows them to read arbitrary
    local files on the server. This occurs because of missing
    com.mysql.cj.jdbc.admin.MiniAdmin validation. (Closes: #929177)

 -- Markus Koschany <apo@debian.org>  Sat, 18 May 2019 20:31:28 +0200

jackson-databind (2.9.8-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Depend on libjackson2-core-java (>= 2.9.8)
  * Standards-Version updated to 4.3.0
  * Use salsa.debian.org Vcs-* URLs

 -- Emmanuel Bourg <ebourg@apache.org>  Sun, 30 Dec 2018 11:03:14 +0100

jackson-databind (2.9.5-1) unstable; urgency=medium

  * Team upload.
  * New upstream version 2.9.5.
    - Fix CVE-2018-7489: incomplete fix for CVE-2017-7525 permits unsafe
      serialization via c3p0 libraries. (Closes: #891614)
  * Remove --has-package-version flag.

 -- Markus Koschany <apo@debian.org>  Tue, 27 Mar 2018 17:36:36 +0200

jackson-databind (2.9.4-1) unstable; urgency=medium

  * Team upload.
  * New upstream version 2.9.4.
    - Fix CVE-2018-5968: bypass of deserialization blacklist related to
      CVE-2017-7525 and CVE-2017-17485. (Closes: #888316)
    - Fix CVE-2017-17485: unauthenticated remote code execution
      because of an incomplete fix for CVE-2017-7525. (Closes: #888318)
  * Use compat level 11.
  * Declare compliance with Debian Policy 4.1.3.

 -- Markus Koschany <apo@debian.org>  Thu, 25 Jan 2018 14:45:19 +0100

jackson-databind (2.9.1-1) unstable; urgency=medium

  * Team upload.
  * New upstream version 2.9.1.
    - Fixes CVE-2017-7525: Deserialization vulnerability via readValue
      method of ObjectMapper (Closes: #870848)
    - Builds fine with Java 9. (Closes: #875411)
  * Declare compliance with Debian Policy 4.1.1.
  * Tighten B-D on jackson-core and jackson-annotations.
  * Add libmaven-shade-plugin-java to B-D.

 -- Markus Koschany <apo@debian.org>  Thu, 12 Oct 2017 00:31:43 +0200

jackson-databind (2.8.6-1) unstable; urgency=medium

  * Team upload.
  * New upstream release

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 16 Jan 2017 01:49:15 +0100

jackson-databind (2.8.5-2) unstable; urgency=medium

  * Team upload.
  * Added the missing build dependency on build-helper-maven-plugin
    (Closes: #848734)
  * Use maven-replacer-plugin instead of debian/replace-generate.sh
  * Merged the Build-Depends-Indep field into Build-Depends

 -- Emmanuel Bourg <ebourg@apache.org>  Wed, 21 Dec 2016 00:12:35 +0100

jackson-databind (2.8.5-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Depend on libjackson2-{core,annotations}-java (>= 2.8.5)
  * Switch to debhelper level 10

 -- Emmanuel Bourg <ebourg@apache.org>  Thu, 15 Dec 2016 15:56:57 +0100

jackson-databind (2.7.4-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
  * Depend on groovy instead of groovy2

 -- Emmanuel Bourg <ebourg@apache.org>  Fri, 13 May 2016 10:12:03 +0200

jackson-databind (2.7.3-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patch
    - Ignore the new test dependencies
    - Tightened the dependency on libjackson2-{core,annotations}-java
    - Removed the dependency on libcglib3-java
  * Standards-Version updated to 3.9.8 (no changes)
  * Use secure Vcs-* URLs

 -- Emmanuel Bourg <ebourg@apache.org>  Fri, 08 Apr 2016 15:10:22 +0200

jackson-databind (2.4.2-3) unstable; urgency=medium

  * Team upload.
  * Transition to Groovy 2

 -- Emmanuel Bourg <ebourg@apache.org>  Fri, 20 Nov 2015 13:06:01 +0100

jackson-databind (2.4.2-2) unstable; urgency=medium

  * Team upload.
  * Build depend on libcglib3-java instead of libcglib-java
  * Standards-Version updated to 3.9.6 (no changes)
  * Removed the build dependency on libmaven-cobertura-plugin-java

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 29 Sep 2014 16:30:49 +0200

jackson-databind (2.4.2-1) unstable; urgency=medium

  * Team upload.
  * New upstream release.
  * ignoreRules: Ignore replacer.
  * ignoreRules: Ignore release plugin.
  * control: Add libmaven-bundle-plugin to build-deps.
  * fix-using-bundle.diff: Use extensions with bundle plugin.
  * maven.{publishedR,r}ules: Fix version mangling.
  * control: Bump dependency on -core and -annotations.
  * properties: Set encoding to UTF-8.
  * control: Add libmaven-cobertura-plugin-java to build-depends.

 -- Timo Aaltonen <tjaalton@debian.org>  Wed, 24 Sep 2014 17:14:02 +0300

jackson-databind (2.2.2-2) unstable; urgency=low

  * Team upload.
  * Update Maven settings to use correct coordinates for Groovy 1.8.x.
    (Closes: #750267).
  * Bump Standards-Version to 3.9.5. No changes were required.

 -- Miguel Landaeta <nomadium@debian.org>  Mon, 26 May 2014 14:53:06 -0300

jackson-databind (2.2.2-1) unstable; urgency=low

  * Initial release. (Closes: #720504)

 -- Wolodja Wentland <debian@babilen5.org>  Thu, 22 Aug 2013 15:24:34 +0000
