Bug#930940: marked as done (unblock: jackson-databind/2.9.8-3)

To: Jonathan Wiltshire <jmw@debian.org>
Subject: Bug#930940: marked as done (unblock: jackson-databind/2.9.8-3)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sun, 23 Jun 2019 14:06:07 +0000
Message-id: <[🔎] handler.930940.D930940.156129863218809.ackdone@bugs.debian.org>
Reply-to: 930940@bugs.debian.org
References: <20190623140349.GA28720@powdarrmonkey.net> <[🔎] 156124143052.26273.1231112794119546748.reportbug@spike>

Your message dated Sun, 23 Jun 2019 15:03:49 +0100
with message-id <20190623140349.GA28720@powdarrmonkey.net>
and subject line Re: Bug#930940: unblock: jackson-databind/2.9.8-3
has caused the Debian Bug report #930940,
regarding unblock: jackson-databind/2.9.8-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
930940: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930940
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: jackson-databind/2.9.8-3
From: Markus Koschany <apo@debian.org>
Date: Sun, 23 Jun 2019 00:10:30 +0200
Message-id: <[🔎] 156124143052.26273.1231112794119546748.reportbug@spike>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Dear release team,

Please unblock package jackson-databind

It would be great if we could include the latest security fixes for
this package. #930750

Thanks,

Markus

unblock jackson-databind/2.9.8-3

-- System Information:
Debian Release: 10.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-9-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect

diff -Nru jackson-databind-2.9.8/debian/changelog jackson-databind-2.9.8/debian/changelog
--- jackson-databind-2.9.8/debian/changelog	2019-05-18 20:31:28.000000000 +0200
+++ jackson-databind-2.9.8/debian/changelog	2019-06-22 00:28:48.000000000 +0200
@@ -1,3 +1,16 @@
+jackson-databind (2.9.8-3) unstable; urgency=medium
+
+  * Team upload.
+  * Fix CVE-2019-12814 and CVE-2019-12384:
+    More Polymorphic Typing issues were discovered in jackson-databind. When
+    Default Typing is enabled (either globally or for a specific property) for
+    an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x or
+    logback-core jar in the classpath, an attacker can send a specifically
+    crafted JSON message that allows them to read arbitrary local files on the
+    server. (Closes: #930750)
+
+ -- Markus Koschany <apo@debian.org>  Sat, 22 Jun 2019 00:28:48 +0200
+
 jackson-databind (2.9.8-2) unstable; urgency=medium
 
   * Team upload.
diff -Nru jackson-databind-2.9.8/debian/patches/CVE-2019-12384.patch jackson-databind-2.9.8/debian/patches/CVE-2019-12384.patch
--- jackson-databind-2.9.8/debian/patches/CVE-2019-12384.patch	1970-01-01 01:00:00.000000000 +0100
+++ jackson-databind-2.9.8/debian/patches/CVE-2019-12384.patch	2019-06-22 00:28:48.000000000 +0200
@@ -0,0 +1,24 @@
+From: Markus Koschany <apo@debian.org>
+Date: Sat, 22 Jun 2019 00:00:02 +0200
+Subject: CVE-2019-12384
+
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930750
+Origin: https://github.com/FasterXML/jackson-databind/commit/c9ef4a10d6f6633cf470d6a469514b68fa2be234
+---
+ .../com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index a17cdf5..3dbb16e 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -83,6 +83,9 @@ public class SubTypeValidator
+         // [databind#2326] (2.9.9): one more 3rd party gadget
+         s.add("com.mysql.cj.jdbc.admin.MiniAdmin");
+ 
++        // [databind#2334] (2.9.9.1): logback-core
++        s.add("ch.qos.logback.core.db.DriverManagerConnectionSource");
++
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
+ 
diff -Nru jackson-databind-2.9.8/debian/patches/CVE-2019-12814.patch jackson-databind-2.9.8/debian/patches/CVE-2019-12814.patch
--- jackson-databind-2.9.8/debian/patches/CVE-2019-12814.patch	1970-01-01 01:00:00.000000000 +0100
+++ jackson-databind-2.9.8/debian/patches/CVE-2019-12814.patch	2019-06-22 00:28:48.000000000 +0200
@@ -0,0 +1,29 @@
+From: Markus Koschany <apo@debian.org>
+Date: Sat, 22 Jun 2019 00:26:32 +0200
+Subject: CVE-2019-12814
+
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930750
+Origin: https://github.com/FasterXML/jackson-databind/commit/5f7c69bba07a7155adde130d9dee2e54a54f1fa5
+---
+ .../fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java  | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index 3dbb16e..72db61d 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -83,9 +83,13 @@ public class SubTypeValidator
+         // [databind#2326] (2.9.9): one more 3rd party gadget
+         s.add("com.mysql.cj.jdbc.admin.MiniAdmin");
+ 
+-        // [databind#2334] (2.9.9.1): logback-core
++        // [databind#2334]: logback-core
+         s.add("ch.qos.logback.core.db.DriverManagerConnectionSource");
+ 
++        // [databind#2341]: jdom/jdom2
++        s.add("org.jdom.transform.XSLTransformer");
++        s.add("org.jdom2.transform.XSLTransformer");
++
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
+ 
diff -Nru jackson-databind-2.9.8/debian/patches/series jackson-databind-2.9.8/debian/patches/series
--- jackson-databind-2.9.8/debian/patches/series	2019-05-18 20:31:28.000000000 +0200
+++ jackson-databind-2.9.8/debian/patches/series	2019-06-22 00:28:48.000000000 +0200
@@ -1 +1,3 @@
 CVE-2019-12086.patch
+CVE-2019-12384.patch
+CVE-2019-12814.patch

--- End Message ---

--- Begin Message ---

To: Markus Koschany <apo@debian.org>, 930940-done@bugs.debian.org

Subject: Re: Bug#930940: unblock: jackson-databind/2.9.8-3

From: Jonathan Wiltshire <jmw@debian.org>

Date: Sun, 23 Jun 2019 15:03:49 +0100

Message-id: <20190623140349.GA28720@powdarrmonkey.net>

In-reply-to: <[🔎] 156124143052.26273.1231112794119546748.reportbug@spike>

References: <[🔎] 156124143052.26273.1231112794119546748.reportbug@spike>
On Sun, Jun 23, 2019 at 12:10:30AM +0200, Markus Koschany wrote:
> Please unblock package jackson-databind
> 
> It would be great if we could include the latest security fixes for
> this package. #930750

Unblocked; thanks.


-- 
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
--- End Message ---

Reply to:

References:
- Bug#930940: unblock: jackson-databind/2.9.8-3
  - From: Markus Koschany <apo@debian.org>

Prev by Date: Bug#930951: nmu: libapt-pkg-perl_0.1.36
Next by Date: Bug#930865: unblock: bochs/2.6.9+dfsg-3
Previous by thread: Bug#930940: unblock: jackson-databind/2.9.8-3
Next by thread: Bug#930936: unblock: installation-guide/20190622
Index(es):
- Date
- Thread