[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#929457: marked as done (unblock: jackson-databind/2.9.8-2)

Your message dated Thu, 23 May 2019 20:15:00 +0000
with message-id <0242fa58-0b4d-69e1-0300-47449c4079c3@thykier.net>
and subject line Re: Bug#929457: unblock: jackson-databind/2.9.8-2
has caused the Debian Bug report #929457,
regarding unblock: jackson-databind/2.9.8-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
929457: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929457
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package jackson-databind

Hi,

I have fixed CVE-2019-12086 in jackson-databind. Please find attached
the debdiff.

Regards,

Markus


unblock jackson-databind/2.9.8-2

-- System Information:
Debian Release: 10.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-9-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect

diff -Nru jackson-databind-2.9.8/debian/changelog jackson-databind-2.9.8/debian/changelog
--- jackson-databind-2.9.8/debian/changelog	2018-12-30 11:03:14.000000000 +0100
+++ jackson-databind-2.9.8/debian/changelog	2019-05-18 20:31:28.000000000 +0200
@@ -1,3 +1,18 @@
+jackson-databind (2.9.8-2) unstable; urgency=medium
+
+  * Team upload.
+  * Fix CVE-2019-12086:
+    A Polymorphic Typing issue was discovered in jackson-databind. When
+    Default Typing is enabled (either globally or for a specific property) for
+    an externally exposed JSON endpoint, the service has the
+    mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an
+    attacker can host a crafted MySQL server reachable by the victim, an
+    attacker can send a crafted JSON message that allows them to read arbitrary
+    local files on the server. This occurs because of missing
+    com.mysql.cj.jdbc.admin.MiniAdmin validation. (Closes: #929177)
+
+ -- Markus Koschany <apo@debian.org>  Sat, 18 May 2019 20:31:28 +0200
+
 jackson-databind (2.9.8-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru jackson-databind-2.9.8/debian/patches/CVE-2019-12086.patch jackson-databind-2.9.8/debian/patches/CVE-2019-12086.patch
--- jackson-databind-2.9.8/debian/patches/CVE-2019-12086.patch	1970-01-01 01:00:00.000000000 +0100
+++ jackson-databind-2.9.8/debian/patches/CVE-2019-12086.patch	2019-05-18 20:31:28.000000000 +0200
@@ -0,0 +1,25 @@
+From: Markus Koschany <apo@debian.org>
+Date: Sat, 18 May 2019 20:29:23 +0200
+Subject: CVE-2019-12086
+
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929177
+Bug-Upstream: https://github.com/FasterXML/jackson-databind/issues/2326
+Origin: https://github.com/FasterXML/jackson-databind/commit/dda513bd7251b4f32b7b60b1c13740e3b5a43024
+---
+ .../com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index 30adb94..a17cdf5 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -80,6 +80,9 @@ public class SubTypeValidator
+         s.add("org.apache.openjpa.ee.JNDIManagedRuntime");
+         s.add("org.apache.axis2.transport.jms.JMSOutTransportInfo");
+ 
++        // [databind#2326] (2.9.9): one more 3rd party gadget
++        s.add("com.mysql.cj.jdbc.admin.MiniAdmin");
++
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
+ 
diff -Nru jackson-databind-2.9.8/debian/patches/series jackson-databind-2.9.8/debian/patches/series
--- jackson-databind-2.9.8/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ jackson-databind-2.9.8/debian/patches/series	2019-05-18 20:31:28.000000000 +0200
@@ -0,0 +1 @@
+CVE-2019-12086.patch

--- End Message ---
--- Begin Message --- 
Markus Koschany:
> Package: release.debian.org
> Severity: normal
> User: release.debian.org@packages.debian.org
> Usertags: unblock
> 
> Please unblock package jackson-databind
> 
> Hi,
> 
> I have fixed CVE-2019-12086 in jackson-databind. Please find attached
> the debdiff.
> 
> Regards,
> 
> Markus
> 
> 
> unblock jackson-databind/2.9.8-2
> 
> [...]

Unblocked, thanks.
~Niels

--- End Message ---
Reply to: