ELA-732-1 jackson-databind security update

denial of service

2022-11-13
Packagejackson-databind
Version2.8.6-1+deb9u11 (stretch)
Related CVEs CVE-2022-42003 CVE-2022-42004


Several flaws were discovered in jackson-databind, a fast and powerful JSON library for Java. A denial of service (resource exhaustion) could occur because of a missing check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.



For Debian 9 stretch, these problems have been fixed in version 2.8.6-1+deb9u11.

We recommend that you upgrade your jackson-databind packages.

Further information about Extended LTS security advisories can be found at: debian Extended Long term support