[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#964727: marked as done (stretch-pu: package jackson-databind/2.8.6-1+deb9u6)

Your message dated Sat, 18 Jul 2020 13:07:00 +0100
with message-id <b8d89cdfeeda7b6d1ef96a8706a20f9525c2151b.camel@adam-barratt.org.uk>
and subject line Closing requests for fixes included in 9.13 point release
has caused the Debian Bug report #964727,
regarding stretch-pu: package jackson-databind/2.8.6-1+deb9u6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
964727: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964727
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Dear release team,

I would like to update jackson-databind in Stretch. It is currently
affected by 20 CVE which are deemed as no-dsa by the security team.
I have added a patch that extends the blacklist to block more classes
from polymorphic deserialization.

Regards,

Markus

diff -Nru jackson-databind-2.8.6/debian/changelog jackson-databind-2.8.6/debian/changelog
--- jackson-databind-2.8.6/debian/changelog	2019-10-05 19:21:48.000000000 +0200
+++ jackson-databind-2.8.6/debian/changelog	2020-07-09 16:42:01.000000000 +0200
@@ -1,3 +1,16 @@
+jackson-databind (2.8.6-1+deb9u7) stretch; urgency=medium
+
+  * Add multiple-CVE-BeanDeserializerFactory.patch and block more classes from
+    polymorphic deserialization.
+    This fixes 20 CVE that currently affect the package namely,
+    CVE-2020-9548, CVE-2020-9547, CVE-2020-9546, CVE-2020-8840, CVE-2020-14195,
+    CVE-2020-14062, CVE-2020-14061, CVE-2020-14060, CVE-2020-11620,
+    CVE-2020-11619, CVE-2020-11113, CVE-2020-11112, CVE-2020-11111,
+    CVE-2020-10969, CVE-2020-10968, CVE-2020-10673, CVE-2020-10672,
+    CVE-2019-20330, CVE-2019-17531 and CVE-2019-17267.
+
+ -- Markus Koschany <apo@debian.org>  Thu, 09 Jul 2020 16:42:01 +0200
+
 jackson-databind (2.8.6-1+deb9u6) stretch-security; urgency=high
 
   * Fix CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, CVE-2019-14439,
diff -Nru jackson-databind-2.8.6/debian/patches/multiple-CVE-BeanDeserializerFactory.patch jackson-databind-2.8.6/debian/patches/multiple-CVE-BeanDeserializerFactory.patch
--- jackson-databind-2.8.6/debian/patches/multiple-CVE-BeanDeserializerFactory.patch	1970-01-01 01:00:00.000000000 +0100
+++ jackson-databind-2.8.6/debian/patches/multiple-CVE-BeanDeserializerFactory.patch	2020-07-09 16:42:01.000000000 +0200
@@ -0,0 +1,189 @@
+From: Markus Koschany <apo@debian.org>
+Date: Thu, 9 Jul 2020 16:39:09 +0200
+Subject: multiple CVE BeanDeserializerFactory
+
+This is the fix for
+CVE-2020-9548, CVE-2020-9547, CVE-2020-9546, CVE-2020-8840, CVE-2020-14195,
+CVE-2020-14062, CVE-2020-14061, CVE-2020-14060, CVE-2020-11620, CVE-2020-11619,
+CVE-2020-11113, CVE-2020-11112, CVE-2020-11111, CVE-2020-10969, CVE-2020-10968,
+CVE-2020-10673, CVE-2020-10672, CVE-2019-20330, CVE-2019-17531 and
+CVE-2019-17267.
+---
+ .../databind/deser/BeanDeserializerFactory.java    | 109 ++++++++++++++++++---
+ 1 file changed, 96 insertions(+), 13 deletions(-)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+index 77d426c..a594f08 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
++++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+@@ -54,6 +54,7 @@ public class BeanDeserializerFactory
+         Set<String> s = new HashSet<>();
+         // Courtesy of [https://github.com/kantega/notsoserial]:
+         // (and wrt [databind#1599])
++
+         s.add("org.apache.commons.collections.functors.InvokerTransformer");
+         s.add("org.apache.commons.collections.functors.InstantiateTransformer");
+         s.add("org.apache.commons.collections4.functors.InvokerTransformer");
+@@ -69,10 +70,14 @@ public class BeanDeserializerFactory
+         s.add("java.util.logging.FileHandler");
+         s.add("java.rmi.server.UnicastRemoteObject");
+         // [databind#1737]; 3rd party
+-        s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor");
++//s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); // deprecated by [databind#1855]
+         s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
+-//        s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); // deprecated by [databind#1931]
+-//        s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); // - "" -
++        // [databind#2680]
++        s.add("org.springframework.aop.config.MethodLocatingFactoryBean");
++        s.add("org.springframework.beans.factory.config.BeanReferenceFactoryBean");
++
++// s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); // deprecated by [databind#1931]
++// s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); // - "" -
+         // [databind#1855]: more 3rd party
+         s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");
+         s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");
+@@ -82,10 +87,11 @@ public class BeanDeserializerFactory
+         // [databind#2032]: more 3rd party; data exfiltration via xml parsed ext entities
+         s.add("org.apache.ibatis.parsing.XPathParser");
+ 
+-        // [databind#2052]: ldap approaches; in all cases LDAP connection String is passed
+-        //   and access attempt is made:
+-        s.add("oracle.jdbc.connector.OracleManagedConnectionFactory");
++        // [databind#2052]: Jodd-db, with jndi/ldap lookup
+         s.add("jodd.db.connection.DataSourceConnectionProvider");
++
++        // [databind#2058]: Oracle JDBC driver, with jndi/ldap lookup
++        s.add("oracle.jdbc.connector.OracleManagedConnectionFactory");
+         s.add("oracle.jdbc.rowset.OracleJDBCRowSet");
+ 
+         // [databind#2097]: some 3rd party, one JDK-bundled
+@@ -94,31 +100,32 @@ public class BeanDeserializerFactory
+         s.add("com.sun.deploy.security.ruleset.DRSHelper");
+         s.add("org.apache.axis2.jaxws.spi.handler.HandlerResolverImpl");
+ 
+-        // [databind#2186]: yet more 3rd party gadgets
++        // [databind#2186], [databind#2670]: yet more 3rd party gadgets
+         s.add("org.jboss.util.propertyeditor.DocumentEditor");
+         s.add("org.apache.openjpa.ee.RegistryManagedRuntime");
+         s.add("org.apache.openjpa.ee.JNDIManagedRuntime");
++        s.add("org.apache.openjpa.ee.WASRegistryManagedRuntime"); // [#2670] addition
+         s.add("org.apache.axis2.transport.jms.JMSOutTransportInfo");
+ 
+-        // [databind#2326] (2.9.9): one more 3rd party gadget
++        // [databind#2326] (2.9.9)
+         s.add("com.mysql.cj.jdbc.admin.MiniAdmin");
+ 
+-        // [databind#2334]: logback-core
++        // [databind#2334]: logback-core (2.9.9.1)
+         s.add("ch.qos.logback.core.db.DriverManagerConnectionSource");
+ 
+-        // [databind#2341]: jdom/jdom2
++        // [databind#2341]: jdom/jdom2 (2.9.9.1)
+         s.add("org.jdom.transform.XSLTransformer");
+         s.add("org.jdom2.transform.XSLTransformer");
+ 
+-        // [databind#2387]: EHCache
++        // [databind#2387], [databind#2460]: EHCache
+         s.add("net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup");
++        s.add("net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup");
+ 
+         // [databind#2389]: logback/jndi
+         s.add("ch.qos.logback.core.db.JNDIConnectionSource");
+ 
+         // [databind#2410]: HikariCP/metricRegistry config
+         s.add("com.zaxxer.hikari.HikariConfig");
+-
+         // [databind#2449]: and sub-class thereof
+         s.add("com.zaxxer.hikari.HikariDataSource");
+ 
+@@ -129,13 +136,89 @@ public class BeanDeserializerFactory
+         s.add("org.apache.commons.configuration.JNDIConfiguration");
+         s.add("org.apache.commons.configuration2.JNDIConfiguration");
+ 
+-        // [databind#2469]: xalan2
++        // [databind#2469]: xalan
+         s.add("org.apache.xalan.lib.sql.JNDIConnectionPool");
++        // [databind#2704]: xalan2
++        s.add("com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool");
+ 
+         // [databind#2478]: comons-dbcp, p6spy
++        s.add("org.apache.commons.dbcp.datasources.PerUserPoolDataSource");
+         s.add("org.apache.commons.dbcp.datasources.SharedPoolDataSource");
+         s.add("com.p6spy.engine.spy.P6DataSource");
+ 
++        // [databind#2498]: log4j-extras (1.2)
++        s.add("org.apache.log4j.receivers.db.DriverManagerConnectionSource");
++        s.add("org.apache.log4j.receivers.db.JNDIConnectionSource");
++
++        // [databind#2526]: some more ehcache
++        s.add("net.sf.ehcache.transaction.manager.selector.GenericJndiSelector");
++        s.add("net.sf.ehcache.transaction.manager.selector.GlassfishSelector");
++
++        // [databind#2620]: xbean-reflect
++        s.add("org.apache.xbean.propertyeditor.JndiConverter");
++
++        // [databind#2631]: shaded hikari-config
++        s.add("org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig");
++
++        // [databind#2634]: ibatis-sqlmap, anteros-core
++        s.add("com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig");
++        s.add("br.com.anteros.dbcp.AnterosDBCPConfig");
++
++        // [databind#2642]: javax.swing (jdk)
++        s.add("javax.swing.JEditorPane");
++
++        // [databind#2648], [databind#2653]: shire-core
++        s.add("org.apache.shiro.realm.jndi.JndiRealmFactory");
++        s.add("org.apache.shiro.jndi.JndiObjectFactory");
++
++        // [databind#2658]: ignite-jta (, quartz-core)
++        s.add("org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup");
++        s.add("org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory");
++        s.add("org.quartz.utils.JNDIConnectionProvider");
++
++        // [databind#2659]: aries.transaction.jms
++        s.add("org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory");
++        s.add("org.apache.aries.transaction.jms.RecoverablePooledConnectionFactory");
++
++        // [databind#2660]: caucho-quercus
++        s.add("com.caucho.config.types.ResourceRef");
++
++        // [databind#2662]: aoju/bus-proxy
++        s.add("org.aoju.bus.proxy.provider.RmiProvider");
++        s.add("org.aoju.bus.proxy.provider.remoting.RmiProvider");
++
++        // [databind#2664]: activemq-core, activemq-pool, activemq-pool-jms
++
++        s.add("org.apache.activemq.ActiveMQConnectionFactory"); // core
++        s.add("org.apache.activemq.ActiveMQXAConnectionFactory");
++        s.add("org.apache.activemq.spring.ActiveMQConnectionFactory");
++        s.add("org.apache.activemq.spring.ActiveMQXAConnectionFactory");
++        s.add("org.apache.activemq.pool.JcaPooledConnectionFactory"); // pool
++        s.add("org.apache.activemq.pool.PooledConnectionFactory");
++        s.add("org.apache.activemq.pool.XaPooledConnectionFactory");
++        s.add("org.apache.activemq.jms.pool.XaPooledConnectionFactory"); // pool-jms
++        s.add("org.apache.activemq.jms.pool.JcaPooledConnectionFactory");
++        // [databind#2666]: apache/commons-jms
++        s.add("org.apache.commons.proxy.provider.remoting.RmiProvider");
++
++        // [databind#2682]: commons-jelly
++        s.add("org.apache.commons.jelly.impl.Embedded");
++
++        // [databind#2688]: apache/drill
++        s.add("oadd.org.apache.xalan.lib.sql.JNDIConnectionPool");
++
++        // [databind#2698]: weblogic w/ oracle/aq-jms
++        // (note: dependency not available via Maven Central, but as part of
++        // weblogic installation, possibly fairly old version(s))
++        s.add("oracle.jms.AQjmsQueueConnectionFactory");
++        s.add("oracle.jms.AQjmsXATopicConnectionFactory");
++        s.add("oracle.jms.AQjmsTopicConnectionFactory");
++        s.add("oracle.jms.AQjmsXAQueueConnectionFactory");
++        s.add("oracle.jms.AQjmsXAConnectionFactory");
++
++        // [databind#2764]: org.jsecurity:
++        s.add("org.jsecurity.realm.jndi.JndiRealmFactory");
++
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
+ 
diff -Nru jackson-databind-2.8.6/debian/patches/series jackson-databind-2.8.6/debian/patches/series
--- jackson-databind-2.8.6/debian/patches/series	2019-10-05 19:21:48.000000000 +0200
+++ jackson-databind-2.8.6/debian/patches/series	2020-07-09 16:42:01.000000000 +0200
@@ -11,3 +11,4 @@
 CVE-2018-19360.patch
 CVE-2019-12086.patch
 polymorphic-typing-issues.patch
+multiple-CVE-BeanDeserializerFactory.patch

--- End Message ---
--- Begin Message --- 
Package: release.debian.org
Version: 9.13

Hi,

All of these requests relate to updates that were included in today's
stretch point release.

Regards,

Adam

--- End Message ---
Reply to: