Debian Bug report logs -
#891614
jackson-databind: CVE-2018-7489: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#891614; Package src:jackson-databind.
(Tue, 27 Feb 2018 06:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Tue, 27 Feb 2018 06:21:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: jackson-databind
Version: 2.9.4-1
Severity: grave
Tags: patch security upstream
Justification: user security hole
Forwarded: https://github.com/FasterXML/jackson-databind/issues/1931
Hi,
the following vulnerability was published for jackson-databind.
CVE-2018-7489[0]:
| FasterXML jackson-databind before 2.8.11.1 and 2.9.x before 2.9.5
| allows unauthenticated remote code execution because of an incomplete
| fix for the CVE-2017-7525 deserialization flaw. This is exploitable by
| sending maliciously crafted JSON input to the readValue method of the
| ObjectMapper, bypassing a blacklist that is ineffective if the c3p0
| libraries are available in the classpath.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-7489
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7489
[1] https://github.com/FasterXML/jackson-databind/issues/1931
[2] https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org.
(Mon, 05 Mar 2018 17:21:28 GMT) (full text, mbox, link).
Reply sent
to Markus Koschany <apo@debian.org>:
You have taken responsibility.
(Tue, 27 Mar 2018 19:00:24 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Tue, 27 Mar 2018 19:00:24 GMT) (full text, mbox, link).
Message #12 received at 891614-close@bugs.debian.org (full text, mbox, reply):
Source: jackson-databind
Source-Version: 2.9.5-1
We believe that the bug you reported is fixed in the latest version of
jackson-databind, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 891614@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated jackson-databind package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 27 Mar 2018 17:36:36 +0200
Source: jackson-databind
Binary: libjackson2-databind-java libjackson2-databind-java-doc
Architecture: source
Version: 2.9.5-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
libjackson2-databind-java - fast and powerful JSON library for Java -- data binding
libjackson2-databind-java-doc - Documentation for jackson-databind
Closes: 891614
Changes:
jackson-databind (2.9.5-1) unstable; urgency=medium
.
* Team upload.
* New upstream version 2.9.5.
- Fix CVE-2018-7489: incomplete fix for CVE-2017-7525 permits unsafe
serialization via c3p0 libraries. (Closes: #891614)
* Remove --has-package-version flag.
Checksums-Sha1:
749c47d25c7328edd0d3f192e839ae4b37197a40 2728 jackson-databind_2.9.5-1.dsc
f845411664c9172d74aa5bbcc83fbdb96dec61fd 1240623 jackson-databind_2.9.5.orig.tar.gz
28e8df3bb59c87784bb33b6fe9885e49b8f6e44e 4676 jackson-databind_2.9.5-1.debian.tar.xz
8e010d468f35b004c5347a3d159dfcddb45d26b8 17469 jackson-databind_2.9.5-1_amd64.buildinfo
Checksums-Sha256:
9dd9b72c19ff5a6a96ed11a7c5d381237f9f884a5c8cad045dc50787a62fe6e9 2728 jackson-databind_2.9.5-1.dsc
63a0f2630728ca7a2f2e76fedd020750a86e9d23cbeb7bc255ea68460c55a674 1240623 jackson-databind_2.9.5.orig.tar.gz
6c370f430b5c27e14f631aa4ed048681774caf9a36613376a48426aa1bba75e2 4676 jackson-databind_2.9.5-1.debian.tar.xz
afd2062f407d679aebc29d6ed3ca18ae5fea9c6dc4c63f3b622a04d76e271bba 17469 jackson-databind_2.9.5-1_amd64.buildinfo
Files:
30f2336b17290a093d78c0c26a7e9ac8 2728 java optional jackson-databind_2.9.5-1.dsc
9c69dfedb79dedbd355d2cbf58498786 1240623 java optional jackson-databind_2.9.5.orig.tar.gz
a38610d99691b682304a8310e35fcabf 4676 java optional jackson-databind_2.9.5-1.debian.tar.xz
0d95c710846208b6336c32219f04fe1c 17469 java optional jackson-databind_2.9.5-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlq6a3FfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkarwQAIL8rDoZf9uOiWRKcU5BpMwkL6AXJ8XlATBp
Na8fZ7FcpMdGoau2kadfEZbadNdPtNgNj4kEifgJ7n8JFaeSzyO91ejnyMN+EX1a
0QCmU7cPm2EkgWLPu4Hh6hQ2TjKFs2wYClLesEI0YhlfUc2FDmsa5Z3DiUd2m4hD
QoKkCxZ8+L9zu1jg2UjfriCXdQJCsRF2fDgQ4QRTcPzwfj8DkdN92I88l+0CjU2N
/09NI88D1lxwNfJlU1FV+VlRRwZll/ythP06KuYffup7fUZqz9O9D7WbajjuNe/B
11UawAXJl8SK1rLkmoo4Bq+NWxfBPp0JsBMnbKIEbgIZDgKKvg/vGhh99tjn3C6t
gPinQff5lTPf78bBurNVAlBOGQFRlul6o9HVSR5YN5ln6V/LRe6h5ABhAmygywqv
xFGED7JDQlIWCXHcIKuCILo/hLzkccCaeJ1kBrdcJd0v9AKyCIp58CycBkfYKn+F
6O8CKDg75nDWpsrtIaFCeo7J3cQnw3H+bnC0H8QvWSEjlLsHUijFQiohdniOWsvf
u3YH7UnWe/GX0wPTgnNnGfJkkojPlhp8MuB87bhVRvMfXddIAINCfeE98azgwr3v
rRZf33ebabujL0tXnI45TwmKF2txq7LH3Ed4bhbBbU48juRfPAc0blXaSIED1z/6
3GkE4Amj
=9LX1
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 25 Apr 2018 07:25:17 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:17:35 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon