Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package jackson-databind Hi, I have fixed CVE-2019-12086 in jackson-databind. Please find attached the debdiff. Regards, Markus unblock jackson-databind/2.9.8-2 -- System Information: Debian Release: 10.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-9-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: unable to detect
diff -Nru jackson-databind-2.9.8/debian/changelog jackson-databind-2.9.8/debian/changelog --- jackson-databind-2.9.8/debian/changelog 2018-12-30 11:03:14.000000000 +0100 +++ jackson-databind-2.9.8/debian/changelog 2019-05-18 20:31:28.000000000 +0200 @@ -1,3 +1,18 @@ +jackson-databind (2.9.8-2) unstable; urgency=medium + + * Team upload. + * Fix CVE-2019-12086: + A Polymorphic Typing issue was discovered in jackson-databind. When + Default Typing is enabled (either globally or for a specific property) for + an externally exposed JSON endpoint, the service has the + mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an + attacker can host a crafted MySQL server reachable by the victim, an + attacker can send a crafted JSON message that allows them to read arbitrary + local files on the server. This occurs because of missing + com.mysql.cj.jdbc.admin.MiniAdmin validation. (Closes: #929177) + + -- Markus Koschany <a...@debian.org> Sat, 18 May 2019 20:31:28 +0200 + jackson-databind (2.9.8-1) unstable; urgency=medium * Team upload. diff -Nru jackson-databind-2.9.8/debian/patches/CVE-2019-12086.patch jackson-databind-2.9.8/debian/patches/CVE-2019-12086.patch --- jackson-databind-2.9.8/debian/patches/CVE-2019-12086.patch 1970-01-01 01:00:00.000000000 +0100 +++ jackson-databind-2.9.8/debian/patches/CVE-2019-12086.patch 2019-05-18 20:31:28.000000000 +0200 @@ -0,0 +1,25 @@ +From: Markus Koschany <a...@debian.org> +Date: Sat, 18 May 2019 20:29:23 +0200 +Subject: CVE-2019-12086 + +Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929177 +Bug-Upstream: https://github.com/FasterXML/jackson-databind/issues/2326 +Origin: https://github.com/FasterXML/jackson-databind/commit/dda513bd7251b4f32b7b60b1c13740e3b5a43024 +--- + .../com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +index 30adb94..a17cdf5 100644 +--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java ++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +@@ -80,6 +80,9 @@ public class SubTypeValidator + s.add("org.apache.openjpa.ee.JNDIManagedRuntime"); + s.add("org.apache.axis2.transport.jms.JMSOutTransportInfo"); + ++ // [databind#2326] (2.9.9): one more 3rd party gadget ++ s.add("com.mysql.cj.jdbc.admin.MiniAdmin"); ++ + DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); + } + diff -Nru jackson-databind-2.9.8/debian/patches/series jackson-databind-2.9.8/debian/patches/series --- jackson-databind-2.9.8/debian/patches/series 1970-01-01 01:00:00.000000000 +0100 +++ jackson-databind-2.9.8/debian/patches/series 2019-05-18 20:31:28.000000000 +0200 @@ -0,0 +1 @@ +CVE-2019-12086.patch
