Your message dated Fri, 21 Jun 2019 23:20:03 +0000
with message-id <[email protected]>
and subject line Bug#930750: fixed in jackson-databind 2.9.8-3
has caused the Debian Bug report #930750,
regarding jackson-databind: CVE-2019-12384 CVE-2019-12814
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
930750: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930750
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: jackson-databind
Version: 2.9.8-2
Severity: important
Tags: security upstream
Hi,
The following vulnerabilities were published for jackson-databind.
CVE-2019-12384[0]:
| Another issue (exploitable using polymorphic deserialization), cf.
| [2].
CVE-2019-12814[1]:
| A Polymorphic Typing issue was discovered in FasterXML jackson-
| databind 2.x through 2.9.9. When Default Typing is enabled (either
| globally or for a specific property) for an externally exposed JSON
| endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an
| attacker can send a specifically crafted JSON message that allows them
| to read arbitrary local files on the server.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2019-12384
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12384
[1] https://security-tracker.debian.org/tracker/CVE-2019-12814
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12814
[2] https://github.com/FasterXML/jackson-databind/issues/2334
[3] https://github.com/FasterXML/jackson-databind/issues/2341
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: jackson-databind
Source-Version: 2.9.8-3
We believe that the bug you reported is fixed in the latest version of
jackson-databind, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <[email protected]> (supplier of updated jackson-databind package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 22 Jun 2019 00:28:48 +0200
Source: jackson-databind
Architecture: source
Version: 2.9.8-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Markus Koschany <[email protected]>
Closes: 930750
Changes:
jackson-databind (2.9.8-3) unstable; urgency=medium
.
* Team upload.
* Fix CVE-2019-12814 and CVE-2019-12384:
More Polymorphic Typing issues were discovered in jackson-databind. When
Default Typing is enabled (either globally or for a specific property) for
an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x or
logback-core jar in the classpath, an attacker can send a specifically
crafted JSON message that allows them to read arbitrary local files on the
server. (Closes: #930750)
Checksums-Sha1:
a74b7dbaa7c97126f29a8a594cdc82835f41d84c 2679 jackson-databind_2.9.8-3.dsc
fca576cf5ece46791d38f5a04eee6c9e6507d823 5580
jackson-databind_2.9.8-3.debian.tar.xz
6024e37037d977a4b511c4b59e7124ef098df15d 17597
jackson-databind_2.9.8-3_amd64.buildinfo
Checksums-Sha256:
3c665283c212204ccc57dd4173f3387905f05382b08ebe9c2f32fccbce058f2f 2679
jackson-databind_2.9.8-3.dsc
bf18b8579ec4eb3f4a38fbb27b719ea4598f507aa7be0ff2977dbb8feb05dac4 5580
jackson-databind_2.9.8-3.debian.tar.xz
ecec131838c3a09a2881ab4b778284494d8b67321863ba4fe3472fe374563540 17597
jackson-databind_2.9.8-3_amd64.buildinfo
Files:
46151556b971474c3cb2a4f4607d9571 2679 java optional
jackson-databind_2.9.8-3.dsc
ffe08ef14a4fe96ff617ad9e97c545ae 5580 java optional
jackson-databind_2.9.8-3.debian.tar.xz
a61fa98f99ed7e4565e9f46eccf61692 17597 java optional
jackson-databind_2.9.8-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl0NXeFfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkkrgQAK+yREzk5E9hMh/rL3aMbpDk3ff1ffnbJyGg
YB/r86a3MkJx5WiFBLFVpql2B8lXUMy0ls190kJx4GBe7xbqzFmTNsQcvLHoVSwy
iA2SKdksOCNE0Yp0fUoxmopWGz6Dv899P27gpo7ioufO0+WHC4HI1ERB8tbT6fk+
G7XjK+jsTasrbzt75f0/t8zg0zw79dUtC9HGpQKpYWoehw9NJ4BKixJTvnNRRH1B
dd08cmyAsjTAlRTiy3OU7OzPjN/sMAUvf2Jwhi0qcWaWldDwnZia2fmNDFYf1g0/
yEx681jgbq7PdqnlCB2q9g4wtl2Wj8Fb2l04U0xGIJoH9OnoM2h4FpLaJsJ48aLO
rAdIasT8bOUcO72UI8RCQyphM8cbSqmrAeeM5QYXr4VhqWglCrmDSYD3E8+wGo6E
eKAy3jyjfSu4KoD/SSLyfrnGnQ6/BRQJnKszWx/Mnv/7A03kvvSMy2zkZe96v7Ti
OjMDZQWKtO3SAB9WZXYdfvLxte/cqyytqwarfI6CGUHygybE7sNhyshPXkVfJVX1
8G04ECYn+fmsUqW7GP0y2P4bwnd1w0rifItJ7HLq8J86mnLwe5xMz64mVUfH0QW+
lwSsRcAsuP1kRu3T/YbULDnzBAX6eTeCumYngTaJsBcANrthMMYUZ5j9whAeH9WL
XbeR7uHX
=6iy5
-----END PGP SIGNATURE-----
--- End Message ---
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
Please use
[email protected] for discussions and questions.
