Your message dated Fri, 23 Feb 2018 13:33:48 +0000 with message-id <e1epdtw-0002ph...@fasolo.debian.org> and subject line Bug#888316: fixed in jackson-databind 2.4.2-2+deb8u3 has caused the Debian Bug report #888316, regarding jackson-databind: CVE-2018-5968 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 888316: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888316 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: jackson-databind Version: 2.9.1-1 Severity: grave Tags: patch security upstream Forwarded: https://github.com/FasterXML/jackson-databind/issues/1899 Control: found -1 2.8.6-1+deb9u2 Control: found -1 2.4.2-2+deb8u2 Hi, the following vulnerability was published for jackson-databind. CVE-2018-5968[0]: | FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 | allows unauthenticated remote code execution because of an incomplete | fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. | This is exploitable via two different gadgets that bypass a blacklist. The upstream issue is at [1], with upstrema fix [2]. If I see it correctly with commit [3] the code was shuffled a bit around, so the patched file is different in meanwhile. If you disagree on the analysis, given I'm unfamiliar iwth jackson-databind let me know. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-5968 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5968 [1] https://github.com/FasterXML/jackson-databind/issues/1899 [2] https://github.com/FasterXML/jackson-databind/commit/038b471e2efde2e8f96b4e0be958d3e5a1ff1d05 [3] https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: jackson-databind Source-Version: 2.4.2-2+deb8u3 We believe that the bug you reported is fixed in the latest version of jackson-databind, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 888...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated jackson-databind package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 27 Jan 2018 19:37:47 +0100 Source: jackson-databind Binary: libjackson2-databind-java libjackson2-databind-java-doc Architecture: source all Version: 2.4.2-2+deb8u3 Distribution: jessie-security Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: libjackson2-databind-java - fast and powerful JSON library for Java -- data binding libjackson2-databind-java-doc - Documentation for jackson-databind Closes: 888316 888318 Changes: jackson-databind (2.4.2-2+deb8u3) jessie-security; urgency=high . * Team upload. * Fix CVE-2017-17485 and CVE-2018-5968: Bybass of deserialization blackist to disallow unauthenticated remote code execution. These CVE exist due to an incomplete fix for CVE-2017-7525. (Closes: #888316, #888318) Checksums-Sha1: 339e625f321ef1df40916f240962a4aa6b8cbb2c 2688 jackson-databind_2.4.2-2+deb8u3.dsc 250fd096cb10e56cb471a4b34a9e05c26094d1f6 8884 jackson-databind_2.4.2-2+deb8u3.debian.tar.xz 40403e491d64e5c35367a16c879f1dc6f9601b99 986180 libjackson2-databind-java_2.4.2-2+deb8u3_all.deb 96420399cd5a2c88ec5188d90ba27431ff1b77fd 4737360 libjackson2-databind-java-doc_2.4.2-2+deb8u3_all.deb Checksums-Sha256: e148edc0b6c112ef4d63abe1576e28cde6aa80c80423e05c34b1adb69d12bceb 2688 jackson-databind_2.4.2-2+deb8u3.dsc a98f12468a822a332a86ffb1d9e59d24524f16a5ea6d8e4636e05b067e097e2a 8884 jackson-databind_2.4.2-2+deb8u3.debian.tar.xz 64958a05caeca76846b4a064cf3fe9f2fe2b4de5d41df365c1e817ef51cc43af 986180 libjackson2-databind-java_2.4.2-2+deb8u3_all.deb 1a0084cb046d309beb6c04e02f21585328f000ba1ebf19d47014d79d899b4287 4737360 libjackson2-databind-java-doc_2.4.2-2+deb8u3_all.deb Files: 2d383e0bd2b4ca28e2e4939fcc85808f 2688 java optional jackson-databind_2.4.2-2+deb8u3.dsc 43f1592f62bec9fff65f015cb495c55a 8884 java optional jackson-databind_2.4.2-2+deb8u3.debian.tar.xz 7bf39b2a509bf5a23d8f673bb1225ae7 986180 java optional libjackson2-databind-java_2.4.2-2+deb8u3_all.deb 5f83f7c1e0ddcd484f2c02d80a38039b 4737360 doc optional libjackson2-databind-java-doc_2.4.2-2+deb8u3_all.deb -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlqAd9NfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkCaMP/AuaPQ5hMZMO8fKx9PyeQV964RFfVqJ9gXSE b8Y/XUWg80TvBbxOGK5PMUfFr+eJelQ/Xi2PgbZqKRSh7dk3gT8qKgkXqgASUO0u bXntOJG/icNu4LVadjTQBlN82ObF7izdSY4PLPREbhn3zfF5VOKPPbJSeqRUocKJ Yjk5QVYWzS5hqGN5+mwNDRWzNGnA5kHgZG+CgR/zSsU76YLZ1LlIOZDh+1GR9PyW fUQ+T4Pjs5P0wPsHGLyOzPPNnNx+aKWu5cjqp5RRQiyJhGAjksxBUahcvoj4QQ0i SJ7U2tADdZrIXy66YxliuWju0f+tyFDNhQzCzC/Q6b6uP9fE+4yHa5fer1ZKROfx k71vMON0YXTWiDj9jHvkc/YtkT+XcOfJNMwhYJJzIfIvwiv3zBuoPnSInvQ282Og J10uE4XnnRNsgpsZRZIoScJm3ZSKa1qAprX7cR/P+b1YGgLlGSWR+TwYA2eEp+6i tUrPjcPx97DZOHSS4xBzqKrmnVwXNmFjpnhGsNX3cy3t563pksYq5iXRAYVEeayU GnGrvDcky4bm3JnykkpjCK/2lfTTwkHFfX3T2tR1ZpB2d9rbRQyHvJ7//FyswKo5 QbiFoCup7Bb2amK2m4HSos4CkuVktIJVJX9+Pn1GzBVlUbbqdnHn5AV+k4r9aw0r I766dhvg =ruD8 -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
