jackson-databind (2.14.0-1) [PTS] [DDPO]

OK: VCS matches the version in the archive

Git: https://salsa.debian.org/java-team/jackson-databind.git
JSON
Enter a full Vcs-* header, supported schemes are: Vcs-Bzr, Vcs-Cvs, Vcs-Darcs, Vcs-Git, Vcs-Hg, Vcs-Mtn, Vcs-Svn.
For Vcs-Git append -b branch to select the branch name; append [subdir] if the debian/ directory is not in the repository root.
The next upload will reset the information from the source package headers.
Branch: master
Path: debian/changelog
Repo size: 12836864
Browser: https://salsa.debian.org/java-team/jackson-databind
Last scan: 2023-05-31 20:10:12+00
Next scan: 2023-06-07 19:35:00+00

Debian changelog in Git:

jackson-databind (2.14.0-1) unstable; urgency=medium

  * New upstream version 2.14.0.
    - Fix CVE-2022-42003:
      Resource exhaustion can occur because of a lack of a check in primitive
      value deserializers to avoid deep wrapper array nesting, when the
      UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled.
    - Fix CVE-2022-42004:
      Resource exhaustion can occur because of a lack of a check in
      BeanDeserializer._deserializeFromArray to prevent use of deeply nested
      arrays. An application is vulnerable only with certain customized choices
      for deserialization.
  * Declare compliance with Debian Policy 4.6.1.

 -- Markus Koschany <apo@debian.org>  Fri, 11 Nov 2022 23:19:39 +0100

This branch is even with tag debian/2.14.0-1