Import Debian changes 2.4.2-2+deb8u7
jackson-databind (2.4.2-2+deb8u7) jessie-security; urgency=high
* Non-maintainer upload by the LTS team.
* More Polymorphic Typing issues were discovered in jackson-databind. When
Default Typing is enabled (either globally or for a specific property) for an
externally exposed JSON endpoint and the service has JDOM 1.x or 2.x or
logback-core jar in the classpath, an attacker can send a specifically
crafted JSON message that allows them to read arbitrary local files on the
server.
Markus Koschany
4 years ago
|
0 |
jackson-databind (2.4.2-2+deb8u7) jessie-security; urgency=high
|
|
1 |
|
|
2 |
* Non-maintainer upload by the LTS team.
|
|
3 |
* More Polymorphic Typing issues were discovered in jackson-databind. When
|
|
4 |
Default Typing is enabled (either globally or for a specific property) for an
|
|
5 |
externally exposed JSON endpoint and the service has JDOM 1.x or 2.x or
|
|
6 |
logback-core jar in the classpath, an attacker can send a specifically
|
|
7 |
crafted JSON message that allows them to read arbitrary local files on the
|
|
8 |
server.
|
|
9 |
|
|
10 |
-- Markus Koschany <apo@debian.org> Fri, 21 Jun 2019 14:16:32 +0200
|
|
11 |
|
0 | 12 |
jackson-databind (2.4.2-2+deb8u6) jessie-security; urgency=high
|
1 | 13 |
|
2 | 14 |
* Non-maintainer upload by the LTS team.
|
|
0 |
From: Markus Koschany <apo@debian.org>
|
|
1 |
Date: Fri, 21 Jun 2019 14:07:20 +0200
|
|
2 |
Subject: CVE-2019-12384
|
|
3 |
|
|
4 |
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930750
|
|
5 |
Origin: https://github.com/FasterXML/jackson-databind/commit/c9ef4a10d6f6633cf470d6a469514b68fa2be234
|
|
6 |
---
|
|
7 |
.../com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java | 3 +++
|
|
8 |
1 file changed, 3 insertions(+)
|
|
9 |
|
|
10 |
diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
|
|
11 |
index 0ed0d5e..a79b829 100644
|
|
12 |
--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
|
|
13 |
+++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
|
|
14 |
@@ -109,6 +109,9 @@ public class BeanDeserializerFactory
|
|
15 |
// [databind#2326] (2.9.9): one more 3rd party gadget
|
|
16 |
s.add("com.mysql.cj.jdbc.admin.MiniAdmin");
|
|
17 |
|
|
18 |
+ // [databind#2334] (2.9.9.1): logback-core
|
|
19 |
+ s.add("ch.qos.logback.core.db.DriverManagerConnectionSource");
|
|
20 |
+
|
|
21 |
DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
|
|
22 |
}
|
|
23 |
|
|
0 |
From: Markus Koschany <apo@debian.org>
|
|
1 |
Date: Fri, 21 Jun 2019 14:14:41 +0200
|
|
2 |
Subject: CVE-2019-12814
|
|
3 |
|
|
4 |
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930750
|
|
5 |
Origin: https://github.com/FasterXML/jackson-databind/commit/5f7c69bba07a7155adde130d9dee2e54a54f1fa5
|
|
6 |
---
|
|
7 |
.../fasterxml/jackson/databind/deser/BeanDeserializerFactory.java | 6 +++++-
|
|
8 |
1 file changed, 5 insertions(+), 1 deletion(-)
|
|
9 |
|
|
10 |
diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
|
|
11 |
index a79b829..be487b3 100644
|
|
12 |
--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
|
|
13 |
+++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
|
|
14 |
@@ -109,9 +109,13 @@ public class BeanDeserializerFactory
|
|
15 |
// [databind#2326] (2.9.9): one more 3rd party gadget
|
|
16 |
s.add("com.mysql.cj.jdbc.admin.MiniAdmin");
|
|
17 |
|
|
18 |
- // [databind#2334] (2.9.9.1): logback-core
|
|
19 |
+ // [databind#2334]: logback-core
|
|
20 |
s.add("ch.qos.logback.core.db.DriverManagerConnectionSource");
|
|
21 |
|
|
22 |
+ // [databind#2341]: jdom/jdom2
|
|
23 |
+ s.add("org.jdom.transform.XSLTransformer");
|
|
24 |
+ s.add("org.jdom2.transform.XSLTransformer");
|
|
25 |
+
|
|
26 |
DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
|
|
27 |
}
|
|
28 |
|
10 | 10 |
CVE-2018-14718.patch
|
11 | 11 |
CVE-2018-19360.patch
|
12 | 12 |
CVE-2019-12086.patch
|
|
13 |
CVE-2019-12384.patch
|
|
14 |
CVE-2019-12814.patch
|