Your message dated Sat, 30 Apr 2022 12:34:15 +0000
with message-id <[email protected]>
and subject line Bug#1007109: fixed in jackson-databind 2.13.2.2-1
has caused the Debian Bug report #1007109,
regarding jackson-databind: CVE-2020-36518 - denial of service via a large
depth of nested objects
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1007109: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1007109
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: jackson-databind
Version: 2.13.0-2
Severity: important
Tags: security
X-Debbugs-Cc: [email protected], Debian Security Team
<[email protected]>
Hi,
The following vulnerability was published for jackson-databind.
CVE-2020-36518[0]:
| jackson-databind before 2.13.0 allows a Java StackOverflow exception
| and denial of service via a large depth of nested objects.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2020-36518
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36518
Please adjust the affected versions in the BTS as needed.
The CVE mentions versions before 2.13.0 but the upstream issue remains
open, labelled for 2.14.
-- System Information:
Debian Release: bookworm/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 5.16.0-3-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8),
LANGUAGE=en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
--- End Message ---
--- Begin Message ---
Source: jackson-databind
Source-Version: 2.13.2.2-1
Done: Markus Koschany <[email protected]>
We believe that the bug you reported is fixed in the latest version of
jackson-databind, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Markus Koschany <[email protected]> (supplier of updated jackson-databind package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 30 Apr 2022 14:05:08 +0200
Source: jackson-databind
Architecture: source
Version: 2.13.2.2-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: Markus Koschany <[email protected]>
Closes: 1007109
Changes:
jackson-databind (2.13.2.2-1) unstable; urgency=medium
.
* New upstream version 2.13.2.2.
- Fix CVE-2020-36518: Java StackOverflow exception and denial of service
via a large depth of nested objects. (Closes: #1007109)
Thanks to Neil Williams for the report.
Checksums-Sha1:
805d354466ec13775d44e8c5ac59ab751b51424e 2506 jackson-databind_2.13.2.2-1.dsc
4660379669c0142483418242c94e97a62784d48b 1065056
jackson-databind_2.13.2.2.orig.tar.xz
fe9f4682f6312ca855daeafdeafa2522a932f7e6 5460
jackson-databind_2.13.2.2-1.debian.tar.xz
fa104b1fa161a516f31a54e0a95356e311f275f4 16517
jackson-databind_2.13.2.2-1_amd64.buildinfo
Checksums-Sha256:
2d363dcdac738fae308f592a225e062554b54216da7aca47d881683fe8f6fa90 2506
jackson-databind_2.13.2.2-1.dsc
c25b021c193e7993e201604fa3da6f23572344e8d38ef72974badfbd8e5b800b 1065056
jackson-databind_2.13.2.2.orig.tar.xz
8f6639770f6019eb840d6875daf4b4933e9e347ac902871d01201082dbacb7d5 5460
jackson-databind_2.13.2.2-1.debian.tar.xz
c5a146b60fc973703ac186b584f597b22cb549607591a6c0af2016998e449df5 16517
jackson-databind_2.13.2.2-1_amd64.buildinfo
Files:
0dd6db8e88d1f30de5ed2e9a29776fa6 2506 java optional
jackson-databind_2.13.2.2-1.dsc
e8d27c569f101f4bf8df605c62da531b 1065056 java optional
jackson-databind_2.13.2.2.orig.tar.xz
d403124377165097aa93ec7731a53b51 5460 java optional
jackson-databind_2.13.2.2-1.debian.tar.xz
8c9fb32130cc7a492834e0074383f62f 16517 java optional
jackson-databind_2.13.2.2-1_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmJtJtdfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkPnEQAJXIi0Hm9kLoNQrjFOE2b53sMuflvHlHWa9p
K3+TSzNE1KSZit+geZi0OqGGiqZP/ox1KCMsDDrvmSDmV3pFqm/mAu4DBtf79IYr
LJg7w84G7D/Kw8b5gM0QOQr3PgEG1mANennWPHM2mkdASpd/GvQZP2tX8NJb2Dyd
E/dLj8k6esxODYaeT7JP+XgybEZ0OwyJJKzTEEh+nhLz0d3bQNCJ0QPqSsQXLjSg
To1jJHaJgbbbOJXsCq3+FkBUJ5Nd2DzDU9x7Y1iw/A2VhYmchiO1zC4bJ9DSFoRT
32lnrLSimybdlovXM5OI6UBqnw+bx38tb95V9FKKDNJHRtkX2lfQZAD5Uc+7KRUR
LTEwkB1X7hkE3U69txH9rbZA8BhIJv1sVzNlT9xoHH40xM55lLzij8RdU8w8Ttfp
QtI9y+xi456k49eAGIjIFjRsDi6TNDZ7LUk2t2jjv2ge2ZXD46NKytgCT1UM+OcH
sejj48JWYLMPsgP+AsOBPY6KygSLizk9Rv2XIgioufyhBNTX+taBOV5kBB3/Hy2b
bCao+LI0ikx8y7jkCYYcwcPApUtwWFxUwbeI7tTe6VSsNKMP/MqQlhNso+T+gcuf
zxTubbvBFXcDHEC5WymIIU111Hgshh705B2QHA1Ff5QCPbY7HKoe0nVnEjEHB+4O
yjaSdJX3
=NT52
-----END PGP SIGNATURE-----
--- End Message ---
