Hi, On Wed, 24 Jan 2018 23:02:44 +0100 Salvatore Bonaccorso <car...@debian.org> wrote: > Source: jackson-databind > Version: 2.9.1-1 > Severity: grave > Tags: patch security upstream > Forwarded: https://github.com/FasterXML/jackson-databind/issues/1899 > Control: found -1 2.8.6-1+deb9u2 > Control: found -1 2.4.2-2+deb8u2 > > Hi, > > the following vulnerability was published for jackson-databind.
[...] Thanks for reporting. I had a look at jackson-databind in Stretch. We just need to apply the patch to BeanDeserializerFactory.java again. As for Sid upgrading to the latest upstream release 2.9.4 should also resolve this. I'm working on it now. Regards, Markus
signature.asc
Description: OpenPGP digital signature
