Codebase list jackson-databind / 49053a2
Import Debian changes 2.4.2-2+deb8u7 jackson-databind (2.4.2-2+deb8u7) jessie-security; urgency=high * Non-maintainer upload by the LTS team. * More Polymorphic Typing issues were discovered in jackson-databind. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x or logback-core jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server. Markus Koschany 4 years ago
4 changed file(s) with 67 addition(s) and 0 deletion(s). Raw diff Collapse all Expand all
+12
-0
debian/changelog less more
0 jackson-databind (2.4.2-2+deb8u7) jessie-security; urgency=high
1
2 * Non-maintainer upload by the LTS team.
3 * More Polymorphic Typing issues were discovered in jackson-databind. When
4 Default Typing is enabled (either globally or for a specific property) for an
5 externally exposed JSON endpoint and the service has JDOM 1.x or 2.x or
6 logback-core jar in the classpath, an attacker can send a specifically
7 crafted JSON message that allows them to read arbitrary local files on the
8 server.
9
10 -- Markus Koschany <apo@debian.org> Fri, 21 Jun 2019 14:16:32 +0200
11
012 jackson-databind (2.4.2-2+deb8u6) jessie-security; urgency=high
113
214 * Non-maintainer upload by the LTS team.
+24
-0
debian/patches/CVE-2019-12384.patch less more
0 From: Markus Koschany <apo@debian.org>
1 Date: Fri, 21 Jun 2019 14:07:20 +0200
2 Subject: CVE-2019-12384
3
4 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930750
5 Origin: https://github.com/FasterXML/jackson-databind/commit/c9ef4a10d6f6633cf470d6a469514b68fa2be234
6 ---
7 .../com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java | 3 +++
8 1 file changed, 3 insertions(+)
9
10 diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
11 index 0ed0d5e..a79b829 100644
12 --- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
13 +++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
14 @@ -109,6 +109,9 @@ public class BeanDeserializerFactory
15 // [databind#2326] (2.9.9): one more 3rd party gadget
16 s.add("com.mysql.cj.jdbc.admin.MiniAdmin");
17
18 + // [databind#2334] (2.9.9.1): logback-core
19 + s.add("ch.qos.logback.core.db.DriverManagerConnectionSource");
20 +
21 DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
22 }
23
+29
-0
debian/patches/CVE-2019-12814.patch less more
0 From: Markus Koschany <apo@debian.org>
1 Date: Fri, 21 Jun 2019 14:14:41 +0200
2 Subject: CVE-2019-12814
3
4 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930750
5 Origin: https://github.com/FasterXML/jackson-databind/commit/5f7c69bba07a7155adde130d9dee2e54a54f1fa5
6 ---
7 .../fasterxml/jackson/databind/deser/BeanDeserializerFactory.java | 6 +++++-
8 1 file changed, 5 insertions(+), 1 deletion(-)
9
10 diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
11 index a79b829..be487b3 100644
12 --- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
13 +++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
14 @@ -109,9 +109,13 @@ public class BeanDeserializerFactory
15 // [databind#2326] (2.9.9): one more 3rd party gadget
16 s.add("com.mysql.cj.jdbc.admin.MiniAdmin");
17
18 - // [databind#2334] (2.9.9.1): logback-core
19 + // [databind#2334]: logback-core
20 s.add("ch.qos.logback.core.db.DriverManagerConnectionSource");
21
22 + // [databind#2341]: jdom/jdom2
23 + s.add("org.jdom.transform.XSLTransformer");
24 + s.add("org.jdom2.transform.XSLTransformer");
25 +
26 DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
27 }
28
+2
-0
debian/patches/series less more
1010 CVE-2018-14718.patch
1111 CVE-2018-19360.patch
1212 CVE-2019-12086.patch
13 CVE-2019-12384.patch
14 CVE-2019-12814.patch