--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: package jackson-databind/2.9.8-3+deb10u1
- From: Markus Koschany <apo@debian.org>
- Date: Thu, 09 Jul 2020 17:33:37 +0200
- Message-id: <159430881740.25699.7984645511618550470.reportbug@spike>
Package: release.debian.org
Severity: normal
Tags: buster
User: release.debian.org@packages.debian.org
Usertags: pu
Dear release team,
I would like to update jackson-databind in Buster. It is currently
affected by 20 CVE which are deemed as no-dsa by the security team.
I have added a patch that extends the blacklist to block more classes
from polymorphic deserialization.
Regards,
Markus
diff -Nru jackson-databind-2.9.8/debian/changelog jackson-databind-2.9.8/debian/changelog
--- jackson-databind-2.9.8/debian/changelog 2019-10-05 19:39:24.000000000 +0200
+++ jackson-databind-2.9.8/debian/changelog 2020-07-09 17:21:32.000000000 +0200
@@ -1,9 +1,22 @@
+jackson-databind (2.9.8-3+deb10u2) buster; urgency=medium
+
+ * Add multiple-CVE-BeanDeserializerFactory.patch and block more classes from
+ polymorphic deserialization.
+ This fixes 20 CVE that currently affect the package namely,
+ CVE-2020-9548, CVE-2020-9547, CVE-2020-9546, CVE-2020-8840, CVE-2020-14195,
+ CVE-2020-14062, CVE-2020-14061, CVE-2020-14060, CVE-2020-11620,
+ CVE-2020-11619, CVE-2020-11113, CVE-2020-11112, CVE-2020-11111,
+ CVE-2020-10969, CVE-2020-10968, CVE-2020-10673, CVE-2020-10672,
+ CVE-2019-20330, CVE-2019-17531 and CVE-2019-17267.
+
+ -- Markus Koschany <apo@debian.org> Thu, 09 Jul 2020 17:21:32 +0200
+
jackson-databind (2.9.8-3+deb10u1) buster-security; urgency=high
- * Fix CVE-2019-12384, CVE-2019-14439, CVE-2019-14540, CVE-2019-16335,
+ * Fix CVE-2019-12384, CVE-2019-14439, CVE-2019-14540, CVE-2019-16335,
CVE-2019-16942 and CVE-2019-16943. Several deserialization flaws
- were discovered in jackson-databind which could allow an
- unauthenticated user to perform code execution. The issue was
+ were discovered in jackson-databind which could allow an
+ unauthenticated user to perform code execution. The issue was
resolved by extending the blacklist and blocking more classes from
polymorphic deserialization.
diff -Nru jackson-databind-2.9.8/debian/patches/multiple-CVE-SubTypeValidator.patch jackson-databind-2.9.8/debian/patches/multiple-CVE-SubTypeValidator.patch
--- jackson-databind-2.9.8/debian/patches/multiple-CVE-SubTypeValidator.patch 1970-01-01 01:00:00.000000000 +0100
+++ jackson-databind-2.9.8/debian/patches/multiple-CVE-SubTypeValidator.patch 2020-07-09 17:21:32.000000000 +0200
@@ -0,0 +1,151 @@
+From: Markus Koschany <apo@debian.org>
+Date: Thu, 9 Jul 2020 16:54:40 +0200
+Subject: multiple CVE SubTypeValidator
+
+This is the fix for
+CVE-2020-9548, CVE-2020-9547, CVE-2020-9546, CVE-2020-8840, CVE-2020-14195,
+CVE-2020-14062, CVE-2020-14061, CVE-2020-14060, CVE-2020-11620, CVE-2020-11619,
+CVE-2020-11113, CVE-2020-11112, CVE-2020-11111, CVE-2020-10969, CVE-2020-10968,
+CVE-2020-10673, CVE-2020-10672, CVE-2019-20330, CVE-2019-17531 and
+CVE-2019-17267.
+---
+ .../databind/jsontype/impl/SubTypeValidator.java | 93 ++++++++++++++++++++--
+ 1 file changed, 87 insertions(+), 6 deletions(-)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index d638af9..1d091a7 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -49,6 +49,9 @@ public class SubTypeValidator
+ // [databind#1737]; 3rd party
+ //s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); // deprecated by [databind#1855]
+ s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
++ // [databind#2680]
++ s.add("org.springframework.aop.config.MethodLocatingFactoryBean");
++ s.add("org.springframework.beans.factory.config.BeanReferenceFactoryBean");
+
+ // s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); // deprecated by [databind#1931]
+ // s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); // - "" -
+@@ -74,24 +77,26 @@ public class SubTypeValidator
+ s.add("com.sun.deploy.security.ruleset.DRSHelper");
+ s.add("org.apache.axis2.jaxws.spi.handler.HandlerResolverImpl");
+
+- // [databind#2186]: yet more 3rd party gadgets
++ // [databind#2186], [databind#2670]: yet more 3rd party gadgets
+ s.add("org.jboss.util.propertyeditor.DocumentEditor");
+ s.add("org.apache.openjpa.ee.RegistryManagedRuntime");
+ s.add("org.apache.openjpa.ee.JNDIManagedRuntime");
++ s.add("org.apache.openjpa.ee.WASRegistryManagedRuntime"); // [#2670] addition
+ s.add("org.apache.axis2.transport.jms.JMSOutTransportInfo");
+
+- // [databind#2326] (2.9.9): one more 3rd party gadget
++ // [databind#2326] (2.9.9)
+ s.add("com.mysql.cj.jdbc.admin.MiniAdmin");
+
+- // [databind#2334]: logback-core
++ // [databind#2334]: logback-core (2.9.9.1)
+ s.add("ch.qos.logback.core.db.DriverManagerConnectionSource");
+
+- // [databind#2341]: jdom/jdom2
++ // [databind#2341]: jdom/jdom2 (2.9.9.1)
+ s.add("org.jdom.transform.XSLTransformer");
+ s.add("org.jdom2.transform.XSLTransformer");
+
+- // [databind#2387]: EHCache
++ // [databind#2387], [databind#2460]: EHCache
+ s.add("net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup");
++ s.add("net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup");
+
+ // [databind#2389]: logback/jndi
+ s.add("ch.qos.logback.core.db.JNDIConnectionSource");
+@@ -108,13 +113,89 @@ public class SubTypeValidator
+ s.add("org.apache.commons.configuration.JNDIConfiguration");
+ s.add("org.apache.commons.configuration2.JNDIConfiguration");
+
+- // [databind#2469]: xalan2
++ // [databind#2469]: xalan
+ s.add("org.apache.xalan.lib.sql.JNDIConnectionPool");
++ // [databind#2704]: xalan2
++ s.add("com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool");
+
+ // [databind#2478]: comons-dbcp, p6spy
++ s.add("org.apache.commons.dbcp.datasources.PerUserPoolDataSource");
+ s.add("org.apache.commons.dbcp.datasources.SharedPoolDataSource");
+ s.add("com.p6spy.engine.spy.P6DataSource");
+
++ // [databind#2498]: log4j-extras (1.2)
++ s.add("org.apache.log4j.receivers.db.DriverManagerConnectionSource");
++ s.add("org.apache.log4j.receivers.db.JNDIConnectionSource");
++
++ // [databind#2526]: some more ehcache
++ s.add("net.sf.ehcache.transaction.manager.selector.GenericJndiSelector");
++ s.add("net.sf.ehcache.transaction.manager.selector.GlassfishSelector");
++
++ // [databind#2620]: xbean-reflect
++ s.add("org.apache.xbean.propertyeditor.JndiConverter");
++
++ // [databind#2631]: shaded hikari-config
++ s.add("org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig");
++
++ // [databind#2634]: ibatis-sqlmap, anteros-core
++ s.add("com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig");
++ s.add("br.com.anteros.dbcp.AnterosDBCPConfig");
++
++ // [databind#2642]: javax.swing (jdk)
++ s.add("javax.swing.JEditorPane");
++
++ // [databind#2648], [databind#2653]: shire-core
++ s.add("org.apache.shiro.realm.jndi.JndiRealmFactory");
++ s.add("org.apache.shiro.jndi.JndiObjectFactory");
++
++ // [databind#2658]: ignite-jta (, quartz-core)
++ s.add("org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup");
++ s.add("org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory");
++ s.add("org.quartz.utils.JNDIConnectionProvider");
++
++ // [databind#2659]: aries.transaction.jms
++ s.add("org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory");
++ s.add("org.apache.aries.transaction.jms.RecoverablePooledConnectionFactory");
++
++ // [databind#2660]: caucho-quercus
++ s.add("com.caucho.config.types.ResourceRef");
++
++ // [databind#2662]: aoju/bus-proxy
++ s.add("org.aoju.bus.proxy.provider.RmiProvider");
++ s.add("org.aoju.bus.proxy.provider.remoting.RmiProvider");
++
++ // [databind#2664]: activemq-core, activemq-pool, activemq-pool-jms
++
++ s.add("org.apache.activemq.ActiveMQConnectionFactory"); // core
++ s.add("org.apache.activemq.ActiveMQXAConnectionFactory");
++ s.add("org.apache.activemq.spring.ActiveMQConnectionFactory");
++ s.add("org.apache.activemq.spring.ActiveMQXAConnectionFactory");
++ s.add("org.apache.activemq.pool.JcaPooledConnectionFactory"); // pool
++ s.add("org.apache.activemq.pool.PooledConnectionFactory");
++ s.add("org.apache.activemq.pool.XaPooledConnectionFactory");
++ s.add("org.apache.activemq.jms.pool.XaPooledConnectionFactory"); // pool-jms
++ s.add("org.apache.activemq.jms.pool.JcaPooledConnectionFactory");
++ // [databind#2666]: apache/commons-jms
++ s.add("org.apache.commons.proxy.provider.remoting.RmiProvider");
++
++ // [databind#2682]: commons-jelly
++ s.add("org.apache.commons.jelly.impl.Embedded");
++
++ // [databind#2688]: apache/drill
++ s.add("oadd.org.apache.xalan.lib.sql.JNDIConnectionPool");
++
++ // [databind#2698]: weblogic w/ oracle/aq-jms
++ // (note: dependency not available via Maven Central, but as part of
++ // weblogic installation, possibly fairly old version(s))
++ s.add("oracle.jms.AQjmsQueueConnectionFactory");
++ s.add("oracle.jms.AQjmsXATopicConnectionFactory");
++ s.add("oracle.jms.AQjmsTopicConnectionFactory");
++ s.add("oracle.jms.AQjmsXAQueueConnectionFactory");
++ s.add("oracle.jms.AQjmsXAConnectionFactory");
++
++ // [databind#2764]: org.jsecurity:
++ s.add("org.jsecurity.realm.jndi.JndiRealmFactory");
++
+ DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+ }
+
diff -Nru jackson-databind-2.9.8/debian/patches/series jackson-databind-2.9.8/debian/patches/series
--- jackson-databind-2.9.8/debian/patches/series 2019-10-05 19:39:24.000000000 +0200
+++ jackson-databind-2.9.8/debian/patches/series 2020-07-09 17:21:32.000000000 +0200
@@ -2,3 +2,4 @@
CVE-2019-12384.patch
CVE-2019-12814.patch
polymorphic-typing-issues.patch
+multiple-CVE-SubTypeValidator.patch
--- End Message ---