jackson-databind: CVE-2018-5968

Debian Bug report logs - #888316
jackson-databind: CVE-2018-5968

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: jackson-databind: CVE-2018-5968

Date: Wed, 24 Jan 2018 23:02:44 +0100

Source: jackson-databind
Version: 2.9.1-1
Severity: grave
Tags: patch security upstream
Forwarded: https://github.com/FasterXML/jackson-databind/issues/1899
Control: found -1 2.8.6-1+deb9u2
Control: found -1 2.4.2-2+deb8u2

Hi,

the following vulnerability was published for jackson-databind.

CVE-2018-5968[0]:
| FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3
| allows unauthenticated remote code execution because of an incomplete
| fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws.
| This is exploitable via two different gadgets that bypass a blacklist.

The upstream issue is at [1], with upstrema fix [2]. If I see it
correctly with commit [3] the code was shuffled a bit around, so the
patched file is different in meanwhile. If you disagree on the
analysis, given I'm unfamiliar iwth jackson-databind let me know.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-5968
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5968
[1] https://github.com/FasterXML/jackson-databind/issues/1899
[2] https://github.com/FasterXML/jackson-databind/commit/038b471e2efde2e8f96b4e0be958d3e5a1ff1d05
[3] https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf

Regards,
Salvatore

Message #14 received at 888316@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: Salvatore Bonaccorso <carnil@debian.org>

Cc: 888316@bugs.debian.org

Subject: Re: jackson-databind: CVE-2018-5968

Date: Thu, 25 Jan 2018 14:40:10 +0100

[Message part 1 (text/plain, inline)]

Hi,

On Wed, 24 Jan 2018 23:02:44 +0100 Salvatore Bonaccorso
<carnil@debian.org> wrote:
> Source: jackson-databind
> Version: 2.9.1-1
> Severity: grave
> Tags: patch security upstream
> Forwarded: https://github.com/FasterXML/jackson-databind/issues/1899
> Control: found -1 2.8.6-1+deb9u2
> Control: found -1 2.4.2-2+deb8u2
> 
> Hi,
> 
> the following vulnerability was published for jackson-databind.

[...]

Thanks for reporting. I had a look at jackson-databind in Stretch. We
just need to apply the patch to BeanDeserializerFactory.java again. As
for Sid upgrading to the latest upstream release 2.9.4 should also
resolve this. I'm working on it now.

Regards,

Markus

[signature.asc (application/pgp-signature, attachment)]

Message #19 received at 888316@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Markus Koschany <apo@debian.org>

Cc: 888316@bugs.debian.org

Subject: Re: jackson-databind: CVE-2018-5968

Date: Thu, 25 Jan 2018 15:23:26 +0100

Hi Markus,

On Thu, Jan 25, 2018 at 02:40:10PM +0100, Markus Koschany wrote:
> Hi,
> 
> On Wed, 24 Jan 2018 23:02:44 +0100 Salvatore Bonaccorso
> <carnil@debian.org> wrote:
> > Source: jackson-databind
> > Version: 2.9.1-1
> > Severity: grave
> > Tags: patch security upstream
> > Forwarded: https://github.com/FasterXML/jackson-databind/issues/1899
> > Control: found -1 2.8.6-1+deb9u2
> > Control: found -1 2.4.2-2+deb8u2
> > 
> > Hi,
> > 
> > the following vulnerability was published for jackson-databind.
> 
> [...]
> 
> Thanks for reporting. I had a look at jackson-databind in Stretch. We
> just need to apply the patch to BeanDeserializerFactory.java again. As
> for Sid upgrading to the latest upstream release 2.9.4 should also
> resolve this. I'm working on it now.

Perfect, thank you! We (Moritz) have added it to the dsa-needed list
for jessie and stretch, so once you have the update can you contact
the security team alias, one of us will then ack the upload.

Regards,
Salvatore

Message #24 received at 888316-close@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: 888316-close@bugs.debian.org

Subject: Bug#888316: fixed in jackson-databind 2.9.4-1

Date: Thu, 25 Jan 2018 23:19:37 +0000

Source: jackson-databind
Source-Version: 2.9.4-1

We believe that the bug you reported is fixed in the latest version of
jackson-databind, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 888316@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated jackson-databind package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 25 Jan 2018 14:45:19 +0100
Source: jackson-databind
Binary: libjackson2-databind-java libjackson2-databind-java-doc
Architecture: source
Version: 2.9.4-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
 libjackson2-databind-java - fast and powerful JSON library for Java -- data binding
 libjackson2-databind-java-doc - Documentation for jackson-databind
Closes: 888316 888318
Changes:
 jackson-databind (2.9.4-1) unstable; urgency=medium
 .
   * Team upload.
   * New upstream version 2.9.4.
     - Fix CVE-2018-5968: bypass of deserialization blacklist related to
       CVE-2017-7525 and CVE-2017-17485. (Closes: #888316)
     - Fix CVE-2017-17485: unauthenticated remote code execution
       because of an incomplete fix for CVE-2017-7525. (Closes: #888318)
   * Use compat level 11.
   * Declare compliance with Debian Policy 4.1.3.
Checksums-Sha1:
 a3d1d2e49764ea0b2c761e8243bb5fe9ec2627f8 2728 jackson-databind_2.9.4-1.dsc
 64e99d866cf9520a5d237e614b232c14ef4bd86e 1237542 jackson-databind_2.9.4.orig.tar.gz
 0172687bda1e45548c65cedbff7a2a6f5bb51e9b 4320 jackson-databind_2.9.4-1.debian.tar.xz
 3bae230b4c23ec8faf6f280446f98289c39f4723 17211 jackson-databind_2.9.4-1_amd64.buildinfo
Checksums-Sha256:
 63789275fbed8d774c97831bd0ebc6de61e2b2e8ff08baad2e4baeb56529d01e 2728 jackson-databind_2.9.4-1.dsc
 08e8439ad91035ec446733037fa85062b3e86f82dd24f5515fb34df30967a2fd 1237542 jackson-databind_2.9.4.orig.tar.gz
 2a9ea35c988ba86ed674a1cc6f5eb12261e4d877872c4ca4045f3add2e8aaf14 4320 jackson-databind_2.9.4-1.debian.tar.xz
 de3ee482f5afd378422980bfe4cb3cc9d39eefadadea36d7cf24bcc11cf9de9e 17211 jackson-databind_2.9.4-1_amd64.buildinfo
Files:
 f4d3678269270f6d345e130656b3ae04 2728 java optional jackson-databind_2.9.4-1.dsc
 d1f5c7f7c1f32d798219d384e8c055ed 1237542 java optional jackson-databind_2.9.4.orig.tar.gz
 0bdcd302bbc390f9c6a720316507400d 4320 java optional jackson-databind_2.9.4-1.debian.tar.xz
 eed9fd48116f3844d3d3e600c3612043 17211 java optional jackson-databind_2.9.4-1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlpqYPFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkPRwP/ReNNsjgoiJpC9ic/AweO0jPJYHsGj9otDDQ
uxbuH89ue2Ovs6jTiXnJHa5DZhEEnRCyC6kZ0OWpIvE/SAJG+SXX00zXdn82q76R
YotQdEa9xTPe5M/cpXO542XZypWsyF9/f1k+RHItd0B465ei7MRVp84J0hhenSBj
3huqgOLxqoCCzwm2LyzE+sLoLw8K6/3m/biagfpCdelsbYs4LJJ44xLqLSZW54pK
qR9NLYnWRgVGYeQUJvpChQ3n5Z2qMTPe/Brp4xw2fE3PLdx2/PxqMll+V73a4tsM
kylEz2DxU3yHhbIViQDb960b2rdZlXIupQ2okhH2k8Io0sd4JOpi38F+Odd/eT5+
moxjpSaA4GFXa/DiIqx2e8hDWUQKOchlw8ViVrDF1Jaow4g46BBkXZho0pDBriIN
j0UUPkdSPE/KHK89ehzFkgWHUphz6C0JXMhVwGj2Gq0XSe2RK6kaxh45fbcD6xSI
e5+uKxlE1ZXZ8znnqoTt3b9MDv59Q6ZPJ4rX3UugtgyeJ0sXlVzU8t/gBgIFbEp6
HzyAWwzE+CPbYlZjgpt1oXYifFyr1xuORhIFA7zyz6S80+Xic/c1iqQdmSyXci0+
4OGlI/n6Q6bO1nCo6GvKvlmOwpOfbiNSSNv4kAlu/hy6UyvMgbPghpdEvTURrtt7
HUf3j8ze
=77kV
-----END PGP SIGNATURE-----

Message #29 received at 888316@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: team@security.debian.org

Cc: 888316@bugs.debian.org

Subject: Re: jackson-databind: CVE-2018-5968

Date: Sat, 27 Jan 2018 21:49:49 +0100

[Message part 1 (text/plain, inline)]

Hi folks,

Am 25.01.2018 um 15:23 schrieb Salvatore Bonaccorso:
> Hi Markus,
> 
> On Thu, Jan 25, 2018 at 02:40:10PM +0100, Markus Koschany wrote:
>> Hi,
>>
>> On Wed, 24 Jan 2018 23:02:44 +0100 Salvatore Bonaccorso
>> <carnil@debian.org> wrote:
>>> Source: jackson-databind
>>> Version: 2.9.1-1
>>> Severity: grave
>>> Tags: patch security upstream
>>> Forwarded: https://github.com/FasterXML/jackson-databind/issues/1899
>>> Control: found -1 2.8.6-1+deb9u2
>>> Control: found -1 2.4.2-2+deb8u2
>>>
>>> Hi,
>>>
>>> the following vulnerability was published for jackson-databind.
>>
>> [...]
>>
>> Thanks for reporting. I had a look at jackson-databind in Stretch. We
>> just need to apply the patch to BeanDeserializerFactory.java again. As
>> for Sid upgrading to the latest upstream release 2.9.4 should also
>> resolve this. I'm working on it now.
> 
> Perfect, thank you! We (Moritz) have added it to the dsa-needed list
> for jessie and stretch, so once you have the update can you contact
> the security team alias, one of us will then ack the upload.

I have prepared security updates of jackson-databind for Stretch and
Jessie and would appreciate another look at the patches.

The fix for CVE-2018-5968 is straightforward. The blacklist is simply
extended.

However upstream decided to refactor the code for CVE-2017-17485 and I
decided to apply the changes to BeanDeserializerFactory.java again
instead of using the new helper class SubTypeValidator. Here is my
thought process how to create the patch based on the solution in
upstream bug 1855 [1]

1. Extend the blacklist. [2]
2. Instead of creating a new method validateSubType, I copied the fix
into checkIllegalTypes in BeanDeserializerFactory again.[3] The behavior
remains the same. This code catches some specific cases for the spring
framework.
3. I also applied the regression fix in [4] (also mentioned in bug 1855)
4. I believe that [5] only applies to the refactored code and since we
don't use that it is irrelevant for us.

Regards,

Markus

[1] https://github.com/FasterXML/jackson-databind/issues/1855
[2]
https://github.com/FasterXML/jackson-databind/commit/f031f27a31625d07922bdd090664c69544200a5d
[3]
https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf
[4]
https://github.com/FasterXML/jackson-databind/commit/bb45fb16709018842f858f1a6e1118676aaa34bd
[5]
https://github.com/FasterXML/jackson-databind/commit/978798382ceb72229e5036aa1442943933d6d171

[jackson-databind_jessie.debdiff (text/plain, attachment)]

[jackson-databind_stretch.debdiff (text/plain, attachment)]

[signature.asc (application/pgp-signature, attachment)]

Message #34 received at 888316@bugs.debian.org (full text, mbox, reply):

From: Sébastien Delafond <seb@debian.org>

To: Markus Koschany <apo@debian.org>

Cc: team@security.debian.org, 888316@bugs.debian.org

Subject: Re: jackson-databind: CVE-2018-5968

Date: Sun, 11 Feb 2018 08:42:08 +0100

[Message part 1 (text/plain, inline)]

On Jan/27, Markus Koschany wrote:
> I have prepared security updates of jackson-databind for Stretch and
> Jessie and would appreciate another look at the patches.
> 
> The fix for CVE-2018-5968 is straightforward. The blacklist is simply
> extended.
> 
> However upstream decided to refactor the code for CVE-2017-17485 and I
> decided to apply the changes to BeanDeserializerFactory.java again
> instead of using the new helper class SubTypeValidator. Here is my
> thought process how to create the patch based on the solution in
> upstream bug 1855 [1]
> 
> 1. Extend the blacklist. [2]
> 2. Instead of creating a new method validateSubType, I copied the fix
> into checkIllegalTypes in BeanDeserializerFactory again.[3] The behavior
> remains the same. This code catches some specific cases for the spring
> framework.
> 3. I also applied the regression fix in [4] (also mentioned in bug 1855)
> 4. I believe that [5] only applies to the refactored code and since we
> don't use that it is irrelevant for us.

Hi Markus,

thanks a lot for patches. I've reviewed them, and your approach is
sound: please upload.

Cheers,

--Seb

[signature.asc (application/pgp-signature, inline)]

Message #39 received at 888316@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: Sébastien Delafond <seb@debian.org>

Cc: team@security.debian.org, 888316@bugs.debian.org

Subject: Re: jackson-databind: CVE-2018-5968

Date: Sun, 11 Feb 2018 18:10:46 +0100

[Message part 1 (text/plain, inline)]

Am 11.02.2018 um 08:42 schrieb Sébastien Delafond:
[...]
> Hi Markus,
> 
> thanks a lot for patches. I've reviewed them, and your approach is
> sound: please upload.
> 
> Cheers,
> 
> --Seb

Hi Seb,

thanks for the review. I've just uploaded both packages.

Cheers,

Markus

[signature.asc (application/pgp-signature, attachment)]

Message #44 received at 888316-close@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: 888316-close@bugs.debian.org

Subject: Bug#888316: fixed in jackson-databind 2.8.6-1+deb9u3

Date: Fri, 23 Feb 2018 11:34:17 +0000

Source: jackson-databind
Source-Version: 2.8.6-1+deb9u3

We believe that the bug you reported is fixed in the latest version of
jackson-databind, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 888316@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated jackson-databind package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 27 Jan 2018 19:12:39 +0100
Source: jackson-databind
Binary: libjackson2-databind-java libjackson2-databind-java-doc
Architecture: source all
Version: 2.8.6-1+deb9u3
Distribution: stretch-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
 libjackson2-databind-java - fast and powerful JSON library for Java -- data binding
 libjackson2-databind-java-doc - Documentation for jackson-databind
Closes: 888316 888318
Changes:
 jackson-databind (2.8.6-1+deb9u3) stretch-security; urgency=high
 .
   * Team upload.
   * Fix CVE-2017-17485 and CVE-2018-5968:
     Bybass of deserialization blackist to disallow unauthenticated remote code
     execution. These CVE exist due to an incomplete fix for CVE-2017-7525.
     (Closes: #888316, #888318)
Checksums-Sha1:
 0ad8f9644b1a4446dbbaa709de1ab2827d1b631e 2694 jackson-databind_2.8.6-1+deb9u3.dsc
 7fa80128b6793f82a4982f0bab47b14cf68bf47a 8424 jackson-databind_2.8.6-1+deb9u3.debian.tar.xz
 d4093936a3bf78a5e2c8377efc7323f1cb61cfa9 16475 jackson-databind_2.8.6-1+deb9u3_amd64.buildinfo
 76e1f8e7470db4d505c39db3f857caebedfd39c0 1228842 libjackson2-databind-java-doc_2.8.6-1+deb9u3_all.deb
 782823cff9a6a7a092dd3ef9d16a50d39ade14c0 1154694 libjackson2-databind-java_2.8.6-1+deb9u3_all.deb
Checksums-Sha256:
 61aa763d90694a021239bb6ee80400657ab467d76fbe82c6d6333db0d64d3912 2694 jackson-databind_2.8.6-1+deb9u3.dsc
 00ab252cfc0253a28dc7e73248302bc1d717f23b43e25fbd8ce6c7fe6b260e82 8424 jackson-databind_2.8.6-1+deb9u3.debian.tar.xz
 b8a011e559004daf812f3f42b111ffad035b803cf6049b4e090d833f8f8215f0 16475 jackson-databind_2.8.6-1+deb9u3_amd64.buildinfo
 60457f1efdda8be7c7d8e73f670d809b6aa0d73746f3ab6cd0940de7477883a7 1228842 libjackson2-databind-java-doc_2.8.6-1+deb9u3_all.deb
 cecd0c322485064fa6e2b158aa9a1f57050ca7ac4255cddd18c5e25e2cad55d5 1154694 libjackson2-databind-java_2.8.6-1+deb9u3_all.deb
Files:
 5583ccd0f59a9b0ac6ea6bd4db89f101 2694 java optional jackson-databind_2.8.6-1+deb9u3.dsc
 c12d0d8ab5995da693eab7977b85adfd 8424 java optional jackson-databind_2.8.6-1+deb9u3.debian.tar.xz
 6f6a35c72bbc2e9402f4e0e79291032b 16475 java optional jackson-databind_2.8.6-1+deb9u3_amd64.buildinfo
 6b67fd4e9736c7d5419df1c848c214fe 1228842 doc optional libjackson2-databind-java-doc_2.8.6-1+deb9u3_all.deb
 0b83a8e190c67fb6ae0208edf2c27548 1154694 java optional libjackson2-databind-java_2.8.6-1+deb9u3_all.deb

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlqAeNhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkSogQALQgt9lAfVsUpMca7ix6eCgys/87J7yO311k
oyOnHDoMYl9jXJtpZfL9XVPb3tYSSY23ZLKjeQuEI+oIxBA3hbgYzADrswSz6Etm
rArSWRfpviHr3nAQJWbgRFlZYPSsOJ5jrWJN3wJFGJ6vzwofjbd3w5s+MLogUdm8
demLgmi7K+/CCdwh4dUQK+D74YS1askWATRXCLyNvD4MdQNbxfFAbjciUGDW4B1K
PV/d2bJqKzDXZrOpXSfi9njgokpqniLTWPU3thbCnx412vDu3GzrYq0uh5oiiMi6
/C8+richa5PE0uAkr2c3haReSaEa4/YFBHBxXGlMERzsS0TUI6To+2jAxMsTp1qM
dcnyAmB6HoArfR51Iu0hoKg4roR2UW2UUOhUNX6YtNeh4FpcR5bo7ntuvss4LvIn
ztey44fUagSiuliwRmrT5KqzzhEQM1sPflxRMLqYVxo6P5mj60FTv51y5bhyf2Qu
uym0Nnk9yUQhdkrocTfzs47U1dVyyf+tSvQ7cfoj/z7PGSHZoIJRLgFim+hbQJ+Z
D2f/VZmqH0O4dwzHzGLH2EWIaHjSZ/sOIartbQ8VrGZoJIl0+OdZupexZvF5i95M
Z/LGfnAalqT0ZiDtPONRwnfPCa5X4/JGua1YTKFz55n2CMgx0N3jpBYBOUBCx35V
VOcFfDkI
=68UA
-----END PGP SIGNATURE-----

Message #49 received at 888316-close@bugs.debian.org (full text, mbox, reply):

From: Markus Koschany <apo@debian.org>

To: 888316-close@bugs.debian.org

Subject: Bug#888316: fixed in jackson-databind 2.4.2-2+deb8u3

Date: Fri, 23 Feb 2018 13:33:48 +0000

Source: jackson-databind
Source-Version: 2.4.2-2+deb8u3

We believe that the bug you reported is fixed in the latest version of
jackson-databind, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 888316@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated jackson-databind package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 27 Jan 2018 19:37:47 +0100
Source: jackson-databind
Binary: libjackson2-databind-java libjackson2-databind-java-doc
Architecture: source all
Version: 2.4.2-2+deb8u3
Distribution: jessie-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
 libjackson2-databind-java - fast and powerful JSON library for Java -- data binding
 libjackson2-databind-java-doc - Documentation for jackson-databind
Closes: 888316 888318
Changes:
 jackson-databind (2.4.2-2+deb8u3) jessie-security; urgency=high
 .
   * Team upload.
   * Fix CVE-2017-17485 and CVE-2018-5968:
     Bybass of deserialization blackist to disallow unauthenticated remote code
     execution. These CVE exist due to an incomplete fix for CVE-2017-7525.
     (Closes: #888316, #888318)
Checksums-Sha1:
 339e625f321ef1df40916f240962a4aa6b8cbb2c 2688 jackson-databind_2.4.2-2+deb8u3.dsc
 250fd096cb10e56cb471a4b34a9e05c26094d1f6 8884 jackson-databind_2.4.2-2+deb8u3.debian.tar.xz
 40403e491d64e5c35367a16c879f1dc6f9601b99 986180 libjackson2-databind-java_2.4.2-2+deb8u3_all.deb
 96420399cd5a2c88ec5188d90ba27431ff1b77fd 4737360 libjackson2-databind-java-doc_2.4.2-2+deb8u3_all.deb
Checksums-Sha256:
 e148edc0b6c112ef4d63abe1576e28cde6aa80c80423e05c34b1adb69d12bceb 2688 jackson-databind_2.4.2-2+deb8u3.dsc
 a98f12468a822a332a86ffb1d9e59d24524f16a5ea6d8e4636e05b067e097e2a 8884 jackson-databind_2.4.2-2+deb8u3.debian.tar.xz
 64958a05caeca76846b4a064cf3fe9f2fe2b4de5d41df365c1e817ef51cc43af 986180 libjackson2-databind-java_2.4.2-2+deb8u3_all.deb
 1a0084cb046d309beb6c04e02f21585328f000ba1ebf19d47014d79d899b4287 4737360 libjackson2-databind-java-doc_2.4.2-2+deb8u3_all.deb
Files:
 2d383e0bd2b4ca28e2e4939fcc85808f 2688 java optional jackson-databind_2.4.2-2+deb8u3.dsc
 43f1592f62bec9fff65f015cb495c55a 8884 java optional jackson-databind_2.4.2-2+deb8u3.debian.tar.xz
 7bf39b2a509bf5a23d8f673bb1225ae7 986180 java optional libjackson2-databind-java_2.4.2-2+deb8u3_all.deb
 5f83f7c1e0ddcd484f2c02d80a38039b 4737360 doc optional libjackson2-databind-java-doc_2.4.2-2+deb8u3_all.deb

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlqAd9NfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkCaMP/AuaPQ5hMZMO8fKx9PyeQV964RFfVqJ9gXSE
b8Y/XUWg80TvBbxOGK5PMUfFr+eJelQ/Xi2PgbZqKRSh7dk3gT8qKgkXqgASUO0u
bXntOJG/icNu4LVadjTQBlN82ObF7izdSY4PLPREbhn3zfF5VOKPPbJSeqRUocKJ
Yjk5QVYWzS5hqGN5+mwNDRWzNGnA5kHgZG+CgR/zSsU76YLZ1LlIOZDh+1GR9PyW
fUQ+T4Pjs5P0wPsHGLyOzPPNnNx+aKWu5cjqp5RRQiyJhGAjksxBUahcvoj4QQ0i
SJ7U2tADdZrIXy66YxliuWju0f+tyFDNhQzCzC/Q6b6uP9fE+4yHa5fer1ZKROfx
k71vMON0YXTWiDj9jHvkc/YtkT+XcOfJNMwhYJJzIfIvwiv3zBuoPnSInvQ282Og
J10uE4XnnRNsgpsZRZIoScJm3ZSKa1qAprX7cR/P+b1YGgLlGSWR+TwYA2eEp+6i
tUrPjcPx97DZOHSS4xBzqKrmnVwXNmFjpnhGsNX3cy3t563pksYq5iXRAYVEeayU
GnGrvDcky4bm3JnykkpjCK/2lfTTwkHFfX3T2tR1ZpB2d9rbRQyHvJ7//FyswKo5
QbiFoCup7Bb2amK2m4HSos4CkuVktIJVJX9+Pn1GzBVlUbbqdnHn5AV+k4r9aw0r
I766dhvg
=ruD8
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.