Debian Bug report logs -
#870848
jackson-databind: CVE-2017-7525: Deserialization vulnerability via readValue method of ObjectMapper
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#870848; Package src:jackson-databind.
(Sat, 05 Aug 2017 19:18:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Sat, 05 Aug 2017 19:18:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: jackson-databind
Version: 2.8.6-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/FasterXML/jackson-databind/issues/1599
Hi,
the following vulnerability was published for jackson-databind.
CVE-2017-7525[0]:
Deserialization vulnerability via readValue method of ObjectMapper
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
Upstream tracking is at [2].
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-7525
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7525
[1] https://github.com/FasterXML/jackson-databind/issues/1599
[2] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7525
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org.
(Thu, 10 Aug 2017 17:48:11 GMT) (full text, mbox, link).
Reply sent
to Markus Koschany <apo@debian.org>:
You have taken responsibility.
(Wed, 11 Oct 2017 23:21:05 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Wed, 11 Oct 2017 23:21:05 GMT) (full text, mbox, link).
Message #12 received at 870848-close@bugs.debian.org (full text, mbox, reply):
Source: jackson-databind
Source-Version: 2.9.1-1
We believe that the bug you reported is fixed in the latest version of
jackson-databind, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 870848@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated jackson-databind package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 12 Oct 2017 00:31:43 +0200
Source: jackson-databind
Binary: libjackson2-databind-java libjackson2-databind-java-doc
Architecture: source
Version: 2.9.1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
libjackson2-databind-java - fast and powerful JSON library for Java -- data binding
libjackson2-databind-java-doc - Documentation for jackson-databind
Closes: 870848 875411
Changes:
jackson-databind (2.9.1-1) unstable; urgency=medium
.
* Team upload.
* New upstream version 2.9.1.
- Fixes CVE-2017-7525: Deserialization vulnerability via readValue
method of ObjectMapper (Closes: #870848)
- Builds fine with Java 9. (Closes: #875411)
* Declare compliance with Debian Policy 4.1.1.
* Tighten B-D on jackson-core and jackson-annotations.
* Add libmaven-shade-plugin-java to B-D.
Checksums-Sha1:
88e2d48d329c7daec8859ac154414d6e83b412b9 2697 jackson-databind_2.9.1-1.dsc
7454b681b36301a4a45e6d688a509bb662e290fa 1217778 jackson-databind_2.9.1.orig.tar.gz
0953ecf97a8df7b6c6b5126087db6d4f24804c91 4176 jackson-databind_2.9.1-1.debian.tar.xz
7dd729dceeb837c5286f4d895e35c1649f9cce15 16953 jackson-databind_2.9.1-1_amd64.buildinfo
Checksums-Sha256:
ba34530ca1ed7b5aeaf04f8ec345959c1ce8e9a3cb07e20db72837572eb89748 2697 jackson-databind_2.9.1-1.dsc
515200c897d1a1d1ce8bbb3f6abe9957b9ce8ebbb58f81115efedff38c5cb90b 1217778 jackson-databind_2.9.1.orig.tar.gz
16780621f5295ef58afa5d5ef8583e43219fcf47dd0bf7a5fee4bf2b0efb8b29 4176 jackson-databind_2.9.1-1.debian.tar.xz
2bd1a43b576671339725070523ec927cc3697f58154362740f88b4c5089515b6 16953 jackson-databind_2.9.1-1_amd64.buildinfo
Files:
8a0d0b3d7b4ee25fab1630ad643eb38a 2697 java optional jackson-databind_2.9.1-1.dsc
ab01ec1139e393133ade4822084316c2 1217778 java optional jackson-databind_2.9.1.orig.tar.gz
e1b455e8c35075603d38fba7702b4641 4176 java optional jackson-databind_2.9.1-1.debian.tar.xz
5dcf2095f42728a073fe652381805b45 16953 java optional jackson-databind_2.9.1-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlneoG5fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkQdMQAMH6spLTj7ucHvTDWL7/2S+0IovByO0wHDeU
rJp0fMk/HgRaZ36LMXJik9TyZvKsAW87DArL25q98jQrbXq3iyqfirjV3xTKIWUw
sWc5YCuvD80jpM8enFZ6smkQ0UqaZEJHYfR1sK4A/X2oNFLyjvAF5cdFi2WBgbzD
tCdXVPnu4l6h0WeI8ujy6vPj1bwRl6gSy63/7DXArdO4pAlODCUk/JAYuuKqAb51
PhFvhlQAcHxb5pmi3tPIwMd1eoCr97MWiQhJ8zqCWazct2jgBgk91FSWv/22mG5E
AonCeofKay0+uMj7cucRoz4TL0zyrdvdDOXoYSYYYWIJFYuSRb4iBvb6RW/+mBzF
sC7k5rpz2kfZ4SFnrX/nqMWsfnQbjS9vwVXH/TYlb9HhVapEWM17ctJqnpBDCH0S
c/YjKjxKnYBImKJQYcmVAJKAydkfQ7fNSbmBAWtl5e1i14VxRTV9foBiUIMT4W4m
lCe0abNLeSN4VNj31T8mvFF4KnjV3s76g0ECOhcpz37pKSJQfivFpxXmX1Y0y37/
b/Mre0cz/OUKZe/9vB46hBYbnY0UcrqOSqHiaZOddZr34O4BVzVu9WcP0Bhh/aEN
FtcVN1lUvgv2/coB+JRemjUx1vLFi/AZYGRleTCWyzoM/9KDGC0URhNhflwDKucI
9j2xpcXo
=pQkf
-----END PGP SIGNATURE-----
Reply sent
to Markus Koschany <apo@debian.org>:
You have taken responsibility.
(Sun, 12 Nov 2017 15:36:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 12 Nov 2017 15:36:03 GMT) (full text, mbox, link).
Message #17 received at 870848-close@bugs.debian.org (full text, mbox, reply):
Source: jackson-databind
Source-Version: 2.8.6-1+deb9u1
We believe that the bug you reported is fixed in the latest version of
jackson-databind, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 870848@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated jackson-databind package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 18 Oct 2017 18:30:07 +0200
Source: jackson-databind
Binary: libjackson2-databind-java libjackson2-databind-java-doc
Architecture: source all
Version: 2.8.6-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
libjackson2-databind-java - fast and powerful JSON library for Java -- data binding
libjackson2-databind-java-doc - Documentation for jackson-databind
Closes: 870848
Changes:
jackson-databind (2.8.6-1+deb9u1) stretch-security; urgency=high
.
* Team upload.
* Fix CVE-2017-7525: Deserialization vulnerability via readValue
method of ObjectMapper. (Closes: #870848)
Checksums-Sha1:
6e7bef8316e74076da326edd510ffcd282eb7545 2694 jackson-databind_2.8.6-1+deb9u1.dsc
722ce2f73837560d20eeafdc1c8223a36fb74726 738780 jackson-databind_2.8.6.orig.tar.xz
ae6630aafd8f7f519ab8b0c3c2866c2310305a2d 5788 jackson-databind_2.8.6-1+deb9u1.debian.tar.xz
be378f0817282acb9960657ed89f25e87215c2e3 16408 jackson-databind_2.8.6-1+deb9u1_amd64.buildinfo
e8121cf29945007216e65def21459c0254160afb 1228478 libjackson2-databind-java-doc_2.8.6-1+deb9u1_all.deb
a0b3b468ab115da5674086bc63c39f5fbd93cf12 1153740 libjackson2-databind-java_2.8.6-1+deb9u1_all.deb
Checksums-Sha256:
c16f4c2fc44e9500e666dc470b9c1186fa6ab683bacf7d508b5132b9b4923e52 2694 jackson-databind_2.8.6-1+deb9u1.dsc
1c2edb33da5ad8baafb4b291872f885ee1cfc773683288bd514a19aa19c639d1 738780 jackson-databind_2.8.6.orig.tar.xz
4845ddc9d699d9e519a81d8018be0208da886c3e43ab284b5a187fcfa2615942 5788 jackson-databind_2.8.6-1+deb9u1.debian.tar.xz
825916430eecdc0c7f0d8dd747d417f48b9f034714a2dc21d2f2b76b067ade9a 16408 jackson-databind_2.8.6-1+deb9u1_amd64.buildinfo
f45eeb19c6fff6bf8d8ad254b4a7f2b8d8991863072b3e892bad3c452de4c9fb 1228478 libjackson2-databind-java-doc_2.8.6-1+deb9u1_all.deb
fcf080e5d4c68b2ba9c3e15100977f54af64b37e479eba8766773e6ba386cd96 1153740 libjackson2-databind-java_2.8.6-1+deb9u1_all.deb
Files:
55e34f37df236fb186b496f998f1c22a 2694 java optional jackson-databind_2.8.6-1+deb9u1.dsc
399c2e0e54a1c8e34261f42e29bc1c6e 738780 java optional jackson-databind_2.8.6.orig.tar.xz
05a2bcf103ae8258be1ef78586e4b256 5788 java optional jackson-databind_2.8.6-1+deb9u1.debian.tar.xz
1a9153951ee593c567e5f919eb9779c9 16408 java optional jackson-databind_2.8.6-1+deb9u1_amd64.buildinfo
1daa36599a40c4ec43edffa52051d1e1 1228478 doc optional libjackson2-databind-java-doc_2.8.6-1+deb9u1_all.deb
cc9e6655aa67cf36bddd8ce249bd9650 1153740 java optional libjackson2-databind-java_2.8.6-1+deb9u1_all.deb
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlnopCJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkqnYP/1RtO9mSE0O9xRvmJmPUTa2EjIxogmUJVNSX
d4vu8FWPQxg+UmIjNKoJYGmiehirEHOyxXT4P/k0efHzd4IJyIwwW04svcK2pVe5
FI0Tld+eBHKYx+zW0I4/Wn9PiYcO+3LA5CaMW4Xl3Np/fmenZi2u/2bQBgD1Eo3C
ozyLWw9lyc5jKK4eDgIGTNte812NLgFejRELjWjtx6LRsCNPMH6QK8XPmJ91BrcM
Buok9DqbmBHJSQQsTfHSqp3eDoi04y1fwNnJ27hZx0izwadYaonevB+qyeocQJ+g
f7jwfot8VRtxt9dYZEELaFApJ/r04XKLs1zeyLIBmwWZw1VArL244DOIVDypkRaD
EX9M3MQH55YBit4gNRJ58j9v2oOK0j+dk9Wdd1+odFVyF2IVrtyL+w6glptivbdF
BaXIoZUQvIa2dN1bd9iGc/aYMGOE2fx48UdVeSgsedIoJcovYPV0fhJDovFc9bCh
p93M6DG2HLYtR87aTDprMRds5HvlbuYpOY6RYe19Dp9qelgMGk87j38eRmAtftFr
Ln9KNulX1IdBkTi6/bf+NKKuyD3s9LP+NbLkBHK8mVRbXVZdoUdDBcaj1h4UVPKG
K+f9B0UdxEwaSoxYzvzG5mrWd1hSH9UvP3dZaHTb+YIro/ORe5kPJ1wNDwucxmTr
fIOiFeby
=9gDD
-----END PGP SIGNATURE-----
Reply sent
to Markus Koschany <apo@debian.org>:
You have taken responsibility.
(Sat, 18 Nov 2017 22:21:12 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 18 Nov 2017 22:21:12 GMT) (full text, mbox, link).
Message #22 received at 870848-close@bugs.debian.org (full text, mbox, reply):
Source: jackson-databind
Source-Version: 2.4.2-2+deb8u1
We believe that the bug you reported is fixed in the latest version of
jackson-databind, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 870848@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <apo@debian.org> (supplier of updated jackson-databind package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 19 Oct 2017 01:44:42 +0200
Source: jackson-databind
Binary: libjackson2-databind-java libjackson2-databind-java-doc
Architecture: source all
Version: 2.4.2-2+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Description:
libjackson2-databind-java - fast and powerful JSON library for Java -- data binding
libjackson2-databind-java-doc - Documentation for jackson-databind
Closes: 870848
Changes:
jackson-databind (2.4.2-2+deb8u1) jessie-security; urgency=high
.
* Team upload.
* Fix CVE-2017-7525: Deserialization vulnerability via readValue
method of ObjectMapper. (Closes: #870848)
Checksums-Sha1:
bed1c6ec546555eb0e49ccaea6857242ef849cf3 2688 jackson-databind_2.4.2-2+deb8u1.dsc
aaec538f967e8cd0bbff405eef753d10ba2df664 851898 jackson-databind_2.4.2.orig.tar.gz
1ae7f0fdae862453a3f0ae6f76f13c053a87e59e 6220 jackson-databind_2.4.2-2+deb8u1.debian.tar.xz
95e9a700283eb51c8032018f4986828350058395 985394 libjackson2-databind-java_2.4.2-2+deb8u1_all.deb
a879aefe50adfc4823b1d076edef6fc016cdfcab 4749164 libjackson2-databind-java-doc_2.4.2-2+deb8u1_all.deb
Checksums-Sha256:
8160da76d47ac9d45241761140b61cc26e9dd071a36e8614250764b473634dfd 2688 jackson-databind_2.4.2-2+deb8u1.dsc
06d8378c6ab40aca83354acf625969801e014a447756ad07e16365925ddf3aa1 851898 jackson-databind_2.4.2.orig.tar.gz
565f027fdb76103557f7e34236c269fa52459c32bc9174eeadbf5d30e0e84230 6220 jackson-databind_2.4.2-2+deb8u1.debian.tar.xz
aec403bf86dd9d1c02ba956518fd64c5dddded9b8c4df9ee3bae9f4edc205fa5 985394 libjackson2-databind-java_2.4.2-2+deb8u1_all.deb
088dd770a71d875faaee183ad9f7c7e5e9c5ffbd66bdd8432225971b47274edb 4749164 libjackson2-databind-java-doc_2.4.2-2+deb8u1_all.deb
Files:
659b09d354809dc185c3cea754e24703 2688 java optional jackson-databind_2.4.2-2+deb8u1.dsc
a3cef86907e85f401571db6d5d5ae358 851898 java optional jackson-databind_2.4.2.orig.tar.gz
b0b2c0c073904b9299d50f6e62272912 6220 java optional jackson-databind_2.4.2-2+deb8u1.debian.tar.xz
b71da66cc63df8ec0ad08a551fa02958 985394 java optional libjackson2-databind-java_2.4.2-2+deb8u1_all.deb
422670e2acd0adb48667c8cd7dd38568 4749164 doc optional libjackson2-databind-java-doc_2.4.2-2+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlno6DtfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkN6sP/R5OmelgmwfHqdY/uxRgYiShd07PLp5Ej1Hw
iJQkhbM9GmDLCWyPWaS+YVCLqYKW6RVr5AtiNhTZZ1Ir4Oq0yEQB8mukc2BL+sjj
Aa33AVIUOIn2lp5x+rZIu5lEAhutzcqJszhzbhTfp+3Sni7kFQs4OfYOWH8VcCjL
x0Z7RoSUmnqJwpHBnn9Z7OM2t9IBA3PopAUMPNOaRGAn1Vlm3lMt5LaI7mCsErKL
+Z6rdOwDjs3Xf8wzdmCeB1PuePQkPL7iEIANSzZmUXkmFLwghRj466pyq4/AtuKA
kDfEIXb5ftzlzsMbx6CNeFJb1u3bDszOttRoZ2GviSeqjdHsHy4A87+7dCL4jsUA
BI0ofNCCEqL68Tz0bA2NZiUucKpKp7n0NpVd15kSIIQ5cPt/iUqjD0ETe7SIHsD4
+DNZ/v+acSL27QXPQNcaRVOOELQnn0Ci6oXr34C7qDXKhoQtwgEAE6soRfU5DMnR
8hq7aWzn0Hbp3MCUesBZ8g4VHpV0M6oqjBxzcaI2HrJFSNsrohXwFNUfZxQkV+z7
gb9PTdCTaF0ocO1XrEw6H0W7warKmMbXlMrBNwscquSFZZz2HblhIasCN93dEmi3
BjOieGkpEoWGDYC7TxmtALfM8Yp0kvRe30fBeGr2v9tWvlXNsZAeDUg12C6Ox0eK
kedvQKwv
=nf5x
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 17 Dec 2017 07:28:45 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:16:56 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon