Your message dated Sat, 18 May 2019 19:03:25 +0000
with message-id <[email protected]>
and subject line Bug#929177: fixed in jackson-databind 2.9.8-2
has caused the Debian Bug report #929177,
regarding jackson-databind: CVE-2019-12086
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
929177: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929177
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: jackson-databind
X-Debbugs-CC: [email protected]
Severity: important
Tags: security
Hi,
I will take care of this one myself.
The following vulnerability was published for jackson-databind.
CVE-2019-12086[0]:
| A Polymorphic Typing issue was discovered in FasterXML jackson-
| databind 2.x before 2.9.9. When Default Typing is enabled (either
| globally or for a specific property) for an externally exposed JSON
| endpoint, the service has the mysql-connector-java jar (8.0.14 or
| earlier) in the classpath, and an attacker can host a crafted MySQL
| server reachable by the victim, an attacker can send a crafted JSON
| message that allows them to read arbitrary local files on the server.
| This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin
| validation.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-12086
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086
Please adjust the affected versions in the BTS as needed.
signature.asc
Description: OpenPGP digital signature
--- End Message ---
--- Begin Message ---
Source: jackson-databind
Source-Version: 2.9.8-2
We believe that the bug you reported is fixed in the latest version of
jackson-databind, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <[email protected]> (supplier of updated jackson-databind package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 18 May 2019 20:31:28 +0200
Source: jackson-databind
Architecture: source
Version: 2.9.8-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Markus Koschany <[email protected]>
Closes: 929177
Changes:
jackson-databind (2.9.8-2) unstable; urgency=medium
.
* Team upload.
* Fix CVE-2019-12086:
A Polymorphic Typing issue was discovered in jackson-databind. When
Default Typing is enabled (either globally or for a specific property) for
an externally exposed JSON endpoint, the service has the
mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an
attacker can host a crafted MySQL server reachable by the victim, an
attacker can send a crafted JSON message that allows them to read arbitrary
local files on the server. This occurs because of missing
com.mysql.cj.jdbc.admin.MiniAdmin validation. (Closes: #929177)
Checksums-Sha1:
c13dc3920b11e340e9081f4c8df29cff6e911872 2679 jackson-databind_2.9.8-2.dsc
8a50b57f35f4c0be11e86bfce69f165db7c5dce5 5216
jackson-databind_2.9.8-2.debian.tar.xz
a9932dfc1be864be25c7cba97db94ac17dc2cb60 17509
jackson-databind_2.9.8-2_amd64.buildinfo
Checksums-Sha256:
9278bb6b692204a40ad3883dac8b6824a74ea4d2424879bc06f1e58a005413c2 2679
jackson-databind_2.9.8-2.dsc
f0a081e41a648b4a1758b104445138de7a4811a24a894cee225359ae15cfd4cf 5216
jackson-databind_2.9.8-2.debian.tar.xz
701ac7a7394abf4b6ea06dc77a589251778aa13ff79e6df02f61691410da954f 17509
jackson-databind_2.9.8-2_amd64.buildinfo
Files:
db750732df8f06d27c2c6593a2e4e7c8 2679 java optional
jackson-databind_2.9.8-2.dsc
8527c10639efc53df67d75d5d9c28a9f 5216 java optional
jackson-databind_2.9.8-2.debian.tar.xz
a7e1b5b95bb766498b794e907c63d3dd 17509 java optional
jackson-databind_2.9.8-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlzgUeBfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkTScP/0Z7ardXVY2FCIvWX7RKwnjw4565uv8LittD
6SCxAeT8x6TZohXwUmO21is0fFvuOh/h4msuAZ1CKc9tJK+jYgW6LbHBDh16rGO0
hIQDnqOE9bl9uKK1iaCBGyKf54/xtZlun93NOotfyD544gzN1Bo8ZDeOqvIOewkI
Pz0PAPAlhWBUcyRs9Owo6WijmHntGTtjAPgnnLA7MBPzAhKaqAWOBnuktnGvo1rB
UOb5QQLS2LVdUsVdpY0oZGvdefhNKU+JMpck0HUG6YKL4yXm7MI5e/UQPYt+uKSw
8s/T0728DUtzyhi58Iae8Zet6SVhDf1+jiprLyeGurB6ztXPTLB7t7ldTUrNvSp+
gQFU03Zvdc/LAxMSghUroeNOC2JiK7TARlhWvNkSYuOZe8e0y+P7Pf8z7QntAYtA
DyRO23+hJ7NfO3Ac6ELS3AtwOxoCFnlusJUp3HobfwALiXyO7vm7HsHw3qJPDWgw
WEbfo3pPnYdglEOOjTkWcxvQzHsWu6I2IwmhjPuCIM+pZArt6f7e3V+A4IFfN2SU
Q4QaEa8ZxnWglkxlIMKdyudFV2/YoXaaAVwNBwNAtXUbr3Inmat8eap8niDr3B9S
55KpRJ8vZIQHdEOIFplgKQDNbxRJytfCkaFyvBwCz1WDEbMKza+JPoj36MFYpyiZ
omUTjkPh
=CgSw
-----END PGP SIGNATURE-----
--- End Message ---
