Version in base suite: 2.14.0+ds-1 Base version: jackson-databind_2.14.0+ds-1 Target version: jackson-databind_2.14.0+ds-1+deb13u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/j/jackson-databind/jackson-databind_2.14.0+ds-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/j/jackson-databind/jackson-databind_2.14.0+ds-1+deb13u1.dsc changelog | 22 +++++++++++++++++ control | 2 - gbp.conf | 55 +++++++++++++++++++++++++++++++++++++++++++ patches/CVE-2025-52999.patch | 39 ++++++++++++++++++++++++++++++ patches/series | 1 salsa-ci.yml | 14 ++++++++++ upstream/metadata | 7 +++++ 7 files changed, 139 insertions(+), 1 deletion(-) dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpiscok6c9/jackson-databind_2.14.0+ds-1.dsc: no acceptable signature found dpkg-source: warning: cannot verify inline signature for /srv/release.debian.org/tmp/tmpiscok6c9/jackson-databind_2.14.0+ds-1+deb13u1.dsc: no acceptable signature found diff -Nru jackson-databind-2.14.0+ds/debian/changelog jackson-databind-2.14.0+ds/debian/changelog --- jackson-databind-2.14.0+ds/debian/changelog 2024-11-26 17:34:44.000000000 +0000 +++ jackson-databind-2.14.0+ds/debian/changelog 2026-06-10 18:49:25.000000000 +0000 @@ -1,3 +1,25 @@ +jackson-databind (2.14.0+ds-1+deb13u1) trixie-security; urgency=medium + + [ Otto Kekäläinen ] + * Enable Salsa CI to help avoid testable regressions before upload to Debian + * Fix broken Homepage link and add current upstream metadata. The site + wiki.fasterxml.com no longer exists. Replace it with link to the current + wiki location. Also add a metadata file following DEP-12, so it is easier + for both maintainers to find the correct upstream websites, as well as for + `git-buildpackage --add-upstreamvcs` feature to work. + * Define Debian packaging repository conventions in gbp.conf. + Add a git-buildpackage config file to show explicitly what conventions this + Debian source package repository uses. This way it is easier for current + maintainer to do e.g. new upstream version imports, as there are less + arguments that need to be passed to `gbp` commands, and also for any future + maintainer/contributor there is less guesswork. + + [ Markus Koschany ] + * Add CVE-2025-52999.patch and fix a FBTFS due to changes in jackson-core. + (Closes: #1135410) + + -- Markus Koschany Wed, 10 Jun 2026 20:49:25 +0200 + jackson-databind (2.14.0+ds-1) unstable; urgency=medium * Team upload. diff -Nru jackson-databind-2.14.0+ds/debian/control jackson-databind-2.14.0+ds/debian/control --- jackson-databind-2.14.0+ds/debian/control 2024-11-26 17:34:44.000000000 +0000 +++ jackson-databind-2.14.0+ds/debian/control 2026-06-10 18:49:25.000000000 +0000 @@ -24,7 +24,7 @@ Rules-Requires-Root: no Vcs-Git: https://salsa.debian.org/java-team/jackson-databind.git Vcs-Browser: https://salsa.debian.org/java-team/jackson-databind -Homepage: http://wiki.fasterxml.com/JacksonHome +Homepage: https://github.com/FasterXML/jackson/wiki/ Package: libjackson2-databind-java Architecture: all diff -Nru jackson-databind-2.14.0+ds/debian/gbp.conf jackson-databind-2.14.0+ds/debian/gbp.conf --- jackson-databind-2.14.0+ds/debian/gbp.conf 1970-01-01 00:00:00.000000000 +0000 +++ jackson-databind-2.14.0+ds/debian/gbp.conf 2026-06-10 18:49:25.000000000 +0000 @@ -0,0 +1,55 @@ +[DEFAULT] +debian-branch = master +upstream-branch = upstream + +# Lax requirement to use branch name 'debian/latest' so that git-buildpackage +# will always build using the currently checked out branch as the Debian branch. +# This makes it easier for contributors to work with feature and bugfix +# branches. +ignore-branch = True + +# Always use pristine tar +pristine-tar = True + +# This git repository also hosts the actual upstream tags and main branch 'master'. +# Configure the upstream tag format below, so that `gbp import-orig` will run +# correctly, and link tarball import branch (`upstream/latest`) with the +# equivalent upstream release tag, showing a complete audit trail of what +# upstream released and what was imported into Debian. +upstream-vcs-tag = jackson-databind-%(version%~%.)s + +# If upstream publishes tarball signatures, git-buildpackage will by default +# import and use the them. Change this to 'on' to make 'gbp import-orig' abort +# if the signature is not found or is not valid. +# +# jackson-databind does not publish any signatures currently +#upstream-signatures = on + +# Ease dropping / adding patches +patch-numbers = False + +# Group debian/changelog entries with the same "[ Author ]" instead of making +# multiple ones for the same author +multimaint-merge = True + +# Automatically open a new changelog entry about the new upstream release, but +# do not commit it, as the 'gbp dch' still needs to run and list all commits +# based on when the debian/changelog last was updated in a git commit +postimport = dch -v %(version)s "New upstream release" + +# Ensure a human always reviews all the debian/changelog entries +spawn-editor = always + +# No need to confirm package name or version at any time, git-buildpackage +# always gets it right +interactive = False + +# Ensure we always target Debian on Debian branches +dch-opt = --vendor=debian + +# If this package ever needs to be maintained for Ubuntu, remember to override +# the branch, tag and commit messages +#debian-branch = ubuntu/24.04-noble +#debian-tag = ubuntu/%(version)s +#debian-tag-msg = %(pkg)s Ubuntu release %(version)s +#dch-opt = --vendor=ubuntu diff -Nru jackson-databind-2.14.0+ds/debian/patches/CVE-2025-52999.patch jackson-databind-2.14.0+ds/debian/patches/CVE-2025-52999.patch --- jackson-databind-2.14.0+ds/debian/patches/CVE-2025-52999.patch 1970-01-01 00:00:00.000000000 +0000 +++ jackson-databind-2.14.0+ds/debian/patches/CVE-2025-52999.patch 2026-06-10 18:49:25.000000000 +0000 @@ -0,0 +1,39 @@ +From: Markus Koschany +Date: Sat, 6 Jun 2026 14:04:23 +0200 +Subject: CVE-2025-52999 + +Related to CVE-2025-52999.patch in jackson-core. Fixes a FTBFS. + +Bug-Debian: https://bugs.debian.org/1135410 +Forwarded: not-needed +--- + src/main/java/com/fasterxml/jackson/databind/ObjectMapper.java | 2 +- + src/main/java/com/fasterxml/jackson/databind/ObjectWriter.java | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/main/java/com/fasterxml/jackson/databind/ObjectMapper.java b/src/main/java/com/fasterxml/jackson/databind/ObjectMapper.java +index d16d83a..87a07ab 100644 +--- a/src/main/java/com/fasterxml/jackson/databind/ObjectMapper.java ++++ b/src/main/java/com/fasterxml/jackson/databind/ObjectMapper.java +@@ -3861,7 +3861,7 @@ public class ObjectMapper + * Note: prior to version 2.1, throws clause included {@link IOException}; 2.1 removed it. + */ + public String writeValueAsString(Object value) +- throws JsonProcessingException ++ throws JsonProcessingException, IOException + { + // alas, we have to pull the recycler directly here... + SegmentedStringWriter sw = new SegmentedStringWriter(_jsonFactory._getBufferRecycler()); +diff --git a/src/main/java/com/fasterxml/jackson/databind/ObjectWriter.java b/src/main/java/com/fasterxml/jackson/databind/ObjectWriter.java +index 744d17f..890b855 100644 +--- a/src/main/java/com/fasterxml/jackson/databind/ObjectWriter.java ++++ b/src/main/java/com/fasterxml/jackson/databind/ObjectWriter.java +@@ -1132,7 +1132,7 @@ public class ObjectWriter + * Note: prior to version 2.1, throws clause included {@link IOException}; 2.1 removed it. + */ + public String writeValueAsString(Object value) +- throws JsonProcessingException ++ throws JsonProcessingException, IOException + { + // alas, we have to pull the recycler directly here... + SegmentedStringWriter sw = new SegmentedStringWriter(_generatorFactory._getBufferRecycler()); diff -Nru jackson-databind-2.14.0+ds/debian/patches/series jackson-databind-2.14.0+ds/debian/patches/series --- jackson-databind-2.14.0+ds/debian/patches/series 2024-11-26 17:34:44.000000000 +0000 +++ jackson-databind-2.14.0+ds/debian/patches/series 2026-06-10 18:49:25.000000000 +0000 @@ -1,2 +1,3 @@ base-pom.patch set-java-baseline.patch +CVE-2025-52999.patch diff -Nru jackson-databind-2.14.0+ds/debian/salsa-ci.yml jackson-databind-2.14.0+ds/debian/salsa-ci.yml --- jackson-databind-2.14.0+ds/debian/salsa-ci.yml 1970-01-01 00:00:00.000000000 +0000 +++ jackson-databind-2.14.0+ds/debian/salsa-ci.yml 2026-06-10 18:49:25.000000000 +0000 @@ -0,0 +1,14 @@ +# This is a template from +# https://salsa.debian.org/salsa-ci-team/pipeline/-/raw/master/recipes/salsa-ci.yml +# +# If this pipeline is not running at after committing and pushing this file, +# ensure that https://salsa.debian.org/%{project_path}/-/settings/ci_cd has in +# field "CI/CD configuration file" filename "debian/salsa-ci.yml". +# +# Feel free disable and enable tests to find a good balance between extensive +# coverage and having a consistently green pipeline where failures are rare +# enough that they are always investigated and addressed. For documeenation +# please read https://salsa.debian.org/salsa-ci-team/pipeline +--- +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml diff -Nru jackson-databind-2.14.0+ds/debian/upstream/metadata jackson-databind-2.14.0+ds/debian/upstream/metadata --- jackson-databind-2.14.0+ds/debian/upstream/metadata 1970-01-01 00:00:00.000000000 +0000 +++ jackson-databind-2.14.0+ds/debian/upstream/metadata 2026-06-10 18:49:25.000000000 +0000 @@ -0,0 +1,7 @@ +Bug-Database: https://github.com/FasterXML/jackson-databind/issues +Bug-Submit: https://github.com/FasterXML/jackson-databind/issues/new +Changelog: https://github.com/FasterXML/jackson/wiki/Jackson-Releases +Documentation: https://github.com/FasterXML/jackson-docs +Other-References: http://fasterxml.com/ +Repository-Browse: https://github.com/FasterXML/jackson-databind +Repository: https://github.com/FasterXML/jackson-databind.git