The jackson-databind package provides general data-binding functionality for Jackson, which works on top of Jackson core streaming API. Security Fix: * A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. * Further classes that an attacker could use to achieve code execution through deserialisation were discovered, and added to the blacklist introduced by CVE-2017-7525. Red Hat would like to thank Liao Xinxi for reporting CVE-2017-7525 and CVE-2017-15095 and 0c0c0f from 360 for reporting CVE-2017-17485.