jackson-databind (2.14.0+ds-2) unstable; urgency=medium

  [ Otto Kekäläinen ]
  * Enable Salsa CI to help avoid testable regressions before upload to Debian
  * Fix broken Homepage link and add current upstream metadata.  The site
    wiki.fasterxml.com no longer exists. Replace it with link to the current
    wiki location. Also add a metadata file following DEP-12, so it is easier
    for both maintainers to find the correct upstream websites, as well as for
    `git-buildpackage --add-upstreamvcs` feature to work.
  * Define Debian packaging repository conventions in gbp.conf.
    Add a git-buildpackage config file to show explicitly what conventions this
    Debian source package repository uses. This way it is easier for current
    maintainer to do e.g. new upstream version imports, as there are less
    arguments that need to be passed to `gbp` commands, and also for any future
    maintainer/contributor there is less guesswork.

  [ Markus Koschany ]
  * Add CVE-2025-52999.patch and fix a FBTFS due to changes in jackson-core.
    (Closes: #1135410)

 -- Markus Koschany <apo@debian.org>  Sat, 06 Jun 2026 14:07:23 +0200

jackson-databind (2.14.0+ds-1) unstable; urgency=medium

  * Team upload.
  * Use java_compat_level from /usr/share/java/java_defaults.mk to set the
    target compiled classes version. (Closes: #1088270)
  * Promote Standards-Version to 4.7.0 without changes.
  * Repack sources without newly excluded files and update configuration for
    importing new releases.

 -- Julien Plissonneau Duquène <sre4ever@free.fr>  Tue, 26 Nov 2024 17:34:44 +0000

jackson-databind (2.14.0-1) unstable; urgency=medium

  * New upstream version 2.14.0.
    - Fix CVE-2022-42003:
      Resource exhaustion can occur because of a lack of a check in primitive
      value deserializers to avoid deep wrapper array nesting, when the
      UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
    - Fix CVE-2022-42004:
      Resource exhaustion can occur because of a lack of a check in
      BeanDeserializer._deserializeFromArray to prevent use of deeply nested
      arrays. An application is vulnerable only with certain customized choices
      for deserialization.
  * Declare compliance with Debian Policy 4.6.1.

 -- Markus Koschany <apo@debian.org>  Fri, 11 Nov 2022 23:19:39 +0100

jackson-databind (2.13.2.2-1) unstable; urgency=medium

  * New upstream version 2.13.2.2.
    - Fix CVE-2020-36518: Java StackOverflow exception and denial of service
      via a large depth of nested objects. (Closes: #1007109)
      Thanks to Neil Williams for the report.

 -- Markus Koschany <apo@debian.org>  Sat, 30 Apr 2022 14:05:08 +0200

jackson-databind (2.13.0-2) unstable; urgency=medium

  * Drop all doc packages from Build-Depends.
  * Update debian/watch.

 -- Markus Koschany <apo@debian.org>  Thu, 04 Nov 2021 10:28:57 +0100

jackson-databind (2.13.0-1) unstable; urgency=medium

  * New upstream version 2.13.0.

 -- Markus Koschany <apo@debian.org>  Fri, 22 Oct 2021 12:58:08 +0200

jackson-databind (2.12.5-1) unstable; urgency=medium

  * New upstream version 2.12.5.
  * Declare compliance with Debian Policy 4.6.0.

 -- Markus Koschany <apo@debian.org>  Tue, 07 Sep 2021 10:09:57 +0200

jackson-databind (2.12.1-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patch
    - Depend on libjackson2-annotations-java (>= 2.12.1)
  * Standards-Version updated to 4.5.1

 -- Emmanuel Bourg <ebourg@apache.org>  Sun, 17 Jan 2021 23:46:32 +0100

jackson-databind (2.11.1-1) unstable; urgency=medium

  * New upstream version 2.11.1.
    - Exclude the javadocs from the source tarball because they require more
      than 500 MB disk space.
    - Fixes CVE-2020-9548, CVE-2020-9547, CVE-2020-9546, CVE-2020-8840,
      CVE-2020-14195, CVE-2020-14062, CVE-2020-14061, CVE-2020-14060,
      CVE-2020-11620, CVE-2020-11619, CVE-2020-11113, CVE-2020-11112,
      CVE-2020-11111, CVE-2020-10969, CVE-2020-10968, CVE-2020-10673,
      CVE-2020-10672.
  * Switch to debhelper-compat = 13.
  * Refresh base-pom.patch.
  * Remove README.source.

 -- Markus Koschany <apo@debian.org>  Thu, 09 Jul 2020 13:53:55 +0200

jackson-databind (2.10.2-1) unstable; urgency=medium

  * New upstream version 2.10.2.
  * Declare compliance with Debian Policy 4.5.0.

 -- Markus Koschany <apo@debian.org>  Sun, 16 Feb 2020 14:27:13 +0100

jackson-databind (2.10.1-1) unstable; urgency=medium

  * New upstream version 2.10.1.
  * Drop CVE-2019-16942-and-CVE-2019-16943.patch. Fixed upstream.

 -- Markus Koschany <apo@debian.org>  Sun, 15 Dec 2019 16:07:37 +0100

jackson-databind (2.10.0-2) unstable; urgency=high

  * Fix CVE-2019-16942 and CVE-2019-16943.
    Block two more gadget types (commons-dbcp, p6spy). (Closes: #941530)

 -- Markus Koschany <apo@debian.org>  Thu, 03 Oct 2019 15:48:58 +0200

jackson-databind (2.10.0-1) unstable; urgency=medium

  * Team upload.
  * New upstream version 2.10.0.
    -Fix CVE-2019-14540 and CVE-2019-16335: Polymorphic Typing issues.
    (Closes: #940498) Thanks to Salvatore Bonaccorso for the report.
  * Declare compliance with Debian Policy 4.4.1.
  * Update base-pom.patch for new release.
  * Remove Wolodja Wentland from Uploaders. Add myself to it. (Closes: #898140)

 -- Markus Koschany <apo@debian.org>  Sun, 29 Sep 2019 21:51:57 +0200

jackson-databind (2.9.9.3-1) unstable; urgency=medium

  * Team upload.
  * New upstream version 2.9.9.3.
    - Fix CVE-2019-14439 and CVE-2019-14379. Thanks to Salvatore Bonaccorso for
      the report. (Closes: #933393)
  * Drop all patches. These are all part of the latest upstream release.
  * Switch to debhelper-compat = 12.
  * Declare compliance with Debian Policy 4.4.0.

 -- Markus Koschany <apo@debian.org>  Tue, 13 Aug 2019 00:26:52 +0200

jackson-databind (2.9.8-3) unstable; urgency=medium

  * Team upload.
  * Fix CVE-2019-12814 and CVE-2019-12384:
    More Polymorphic Typing issues were discovered in jackson-databind. When
    Default Typing is enabled (either globally or for a specific property) for
    an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x or
    logback-core jar in the classpath, an attacker can send a specifically
    crafted JSON message that allows them to read arbitrary local files on the
    server. (Closes: #930750)

 -- Markus Koschany <apo@debian.org>  Sat, 22 Jun 2019 00:28:48 +0200

jackson-databind (2.9.8-2) unstable; urgency=medium

  * Team upload.
  * Fix CVE-2019-12086:
    A Polymorphic Typing issue was discovered in jackson-databind. When
    Default Typing is enabled (either globally or for a specific property) for
    an externally exposed JSON endpoint, the service has the
    mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an
    attacker can host a crafted MySQL server reachable by the victim, an
    attacker can send a crafted JSON message that allows them to read arbitrary
    local files on the server. This occurs because of missing
    com.mysql.cj.jdbc.admin.MiniAdmin validation. (Closes: #929177)

 -- Markus Koschany <apo@debian.org>  Sat, 18 May 2019 20:31:28 +0200

jackson-databind (2.9.8-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Depend on libjackson2-core-java (>= 2.9.8)
  * Standards-Version updated to 4.3.0
  * Use salsa.debian.org Vcs-* URLs

 -- Emmanuel Bourg <ebourg@apache.org>  Sun, 30 Dec 2018 11:03:14 +0100

jackson-databind (2.9.5-1) unstable; urgency=medium

  * Team upload.
  * New upstream version 2.9.5.
    - Fix CVE-2018-7489: incomplete fix for CVE-2017-7525 permits unsafe
      serialization via c3p0 libraries. (Closes: #891614)
  * Remove --has-package-version flag.

 -- Markus Koschany <apo@debian.org>  Tue, 27 Mar 2018 17:36:36 +0200

jackson-databind (2.9.4-1) unstable; urgency=medium

  * Team upload.
  * New upstream version 2.9.4.
    - Fix CVE-2018-5968: bypass of deserialization blacklist related to
      CVE-2017-7525 and CVE-2017-17485. (Closes: #888316)
    - Fix CVE-2017-17485: unauthenticated remote code execution
      because of an incomplete fix for CVE-2017-7525. (Closes: #888318)
  * Use compat level 11.
  * Declare compliance with Debian Policy 4.1.3.

 -- Markus Koschany <apo@debian.org>  Thu, 25 Jan 2018 14:45:19 +0100

jackson-databind (2.9.1-1) unstable; urgency=medium

  * Team upload.
  * New upstream version 2.9.1.
    - Fixes CVE-2017-7525: Deserialization vulnerability via readValue
      method of ObjectMapper (Closes: #870848)
    - Builds fine with Java 9. (Closes: #875411)
  * Declare compliance with Debian Policy 4.1.1.
  * Tighten B-D on jackson-core and jackson-annotations.
  * Add libmaven-shade-plugin-java to B-D.

 -- Markus Koschany <apo@debian.org>  Thu, 12 Oct 2017 00:31:43 +0200

jackson-databind (2.8.6-1) unstable; urgency=medium

  * Team upload.
  * New upstream release

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 16 Jan 2017 01:49:15 +0100

jackson-databind (2.8.5-2) unstable; urgency=medium

  * Team upload.
  * Added the missing build dependency on build-helper-maven-plugin
    (Closes: #848734)
  * Use maven-replacer-plugin instead of debian/replace-generate.sh
  * Merged the Build-Depends-Indep field into Build-Depends

 -- Emmanuel Bourg <ebourg@apache.org>  Wed, 21 Dec 2016 00:12:35 +0100

jackson-databind (2.8.5-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Depend on libjackson2-{core,annotations}-java (>= 2.8.5)
  * Switch to debhelper level 10

 -- Emmanuel Bourg <ebourg@apache.org>  Thu, 15 Dec 2016 15:56:57 +0100

jackson-databind (2.7.4-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
  * Depend on groovy instead of groovy2

 -- Emmanuel Bourg <ebourg@apache.org>  Fri, 13 May 2016 10:12:03 +0200

jackson-databind (2.7.3-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patch
    - Ignore the new test dependencies
    - Tightened the dependency on libjackson2-{core,annotations}-java
    - Removed the dependency on libcglib3-java
  * Standards-Version updated to 3.9.8 (no changes)
  * Use secure Vcs-* URLs

 -- Emmanuel Bourg <ebourg@apache.org>  Fri, 08 Apr 2016 15:10:22 +0200

jackson-databind (2.4.2-3) unstable; urgency=medium

  * Team upload.
  * Transition to Groovy 2

 -- Emmanuel Bourg <ebourg@apache.org>  Fri, 20 Nov 2015 13:06:01 +0100

jackson-databind (2.4.2-2) unstable; urgency=medium

  * Team upload.
  * Build depend on libcglib3-java instead of libcglib-java
  * Standards-Version updated to 3.9.6 (no changes)
  * Removed the build dependency on libmaven-cobertura-plugin-java

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 29 Sep 2014 16:30:49 +0200

jackson-databind (2.4.2-1) unstable; urgency=medium

  * Team upload.
  * New upstream release.
  * ignoreRules: Ignore replacer.
  * ignoreRules: Ignore release plugin.
  * control: Add libmaven-bundle-plugin to build-deps.
  * fix-using-bundle.diff: Use extensions with bundle plugin.
  * maven.{publishedR,r}ules: Fix version mangling.
  * control: Bump dependency on -core and -annotations.
  * properties: Set encoding to UTF-8.
  * control: Add libmaven-cobertura-plugin-java to build-depends.

 -- Timo Aaltonen <tjaalton@debian.org>  Wed, 24 Sep 2014 17:14:02 +0300

jackson-databind (2.2.2-2) unstable; urgency=low

  * Team upload.
  * Update Maven settings to use correct coordinates for Groovy 1.8.x.
    (Closes: #750267).
  * Bump Standards-Version to 3.9.5. No changes were required.

 -- Miguel Landaeta <nomadium@debian.org>  Mon, 26 May 2014 14:53:06 -0300

jackson-databind (2.2.2-1) unstable; urgency=low

  * Initial release. (Closes: #720504)

 -- Wolodja Wentland <debian@babilen5.org>  Thu, 22 Aug 2013 15:24:34 +0000
