Your message dated Tue, 27 Mar 2018 18:58:26 +0000 with message-id <e1f0tne-0006ih...@fasolo.debian.org> and subject line Bug#891614: fixed in jackson-databind 2.9.5-1 has caused the Debian Bug report #891614, regarding jackson-databind: CVE-2018-7489: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 891614: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=891614 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: jackson-databind Version: 2.9.4-1 Severity: grave Tags: patch security upstream Justification: user security hole Forwarded: https://github.com/FasterXML/jackson-databind/issues/1931 Hi, the following vulnerability was published for jackson-databind. CVE-2018-7489[0]: | FasterXML jackson-databind before 2.8.11.1 and 2.9.x before 2.9.5 | allows unauthenticated remote code execution because of an incomplete | fix for the CVE-2017-7525 deserialization flaw. This is exploitable by | sending maliciously crafted JSON input to the readValue method of the | ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 | libraries are available in the classpath. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-7489 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7489 [1] https://github.com/FasterXML/jackson-databind/issues/1931 [2] https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: jackson-databind Source-Version: 2.9.5-1 We believe that the bug you reported is fixed in the latest version of jackson-databind, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 891...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated jackson-databind package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 27 Mar 2018 17:36:36 +0200 Source: jackson-databind Binary: libjackson2-databind-java libjackson2-databind-java-doc Architecture: source Version: 2.9.5-1 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Description: libjackson2-databind-java - fast and powerful JSON library for Java -- data binding libjackson2-databind-java-doc - Documentation for jackson-databind Closes: 891614 Changes: jackson-databind (2.9.5-1) unstable; urgency=medium . * Team upload. * New upstream version 2.9.5. - Fix CVE-2018-7489: incomplete fix for CVE-2017-7525 permits unsafe serialization via c3p0 libraries. (Closes: #891614) * Remove --has-package-version flag. Checksums-Sha1: 749c47d25c7328edd0d3f192e839ae4b37197a40 2728 jackson-databind_2.9.5-1.dsc f845411664c9172d74aa5bbcc83fbdb96dec61fd 1240623 jackson-databind_2.9.5.orig.tar.gz 28e8df3bb59c87784bb33b6fe9885e49b8f6e44e 4676 jackson-databind_2.9.5-1.debian.tar.xz 8e010d468f35b004c5347a3d159dfcddb45d26b8 17469 jackson-databind_2.9.5-1_amd64.buildinfo Checksums-Sha256: 9dd9b72c19ff5a6a96ed11a7c5d381237f9f884a5c8cad045dc50787a62fe6e9 2728 jackson-databind_2.9.5-1.dsc 63a0f2630728ca7a2f2e76fedd020750a86e9d23cbeb7bc255ea68460c55a674 1240623 jackson-databind_2.9.5.orig.tar.gz 6c370f430b5c27e14f631aa4ed048681774caf9a36613376a48426aa1bba75e2 4676 jackson-databind_2.9.5-1.debian.tar.xz afd2062f407d679aebc29d6ed3ca18ae5fea9c6dc4c63f3b622a04d76e271bba 17469 jackson-databind_2.9.5-1_amd64.buildinfo Files: 30f2336b17290a093d78c0c26a7e9ac8 2728 java optional jackson-databind_2.9.5-1.dsc 9c69dfedb79dedbd355d2cbf58498786 1240623 java optional jackson-databind_2.9.5.orig.tar.gz a38610d99691b682304a8310e35fcabf 4676 java optional jackson-databind_2.9.5-1.debian.tar.xz 0d95c710846208b6336c32219f04fe1c 17469 java optional jackson-databind_2.9.5-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlq6a3FfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkarwQAIL8rDoZf9uOiWRKcU5BpMwkL6AXJ8XlATBp Na8fZ7FcpMdGoau2kadfEZbadNdPtNgNj4kEifgJ7n8JFaeSzyO91ejnyMN+EX1a 0QCmU7cPm2EkgWLPu4Hh6hQ2TjKFs2wYClLesEI0YhlfUc2FDmsa5Z3DiUd2m4hD QoKkCxZ8+L9zu1jg2UjfriCXdQJCsRF2fDgQ4QRTcPzwfj8DkdN92I88l+0CjU2N /09NI88D1lxwNfJlU1FV+VlRRwZll/ythP06KuYffup7fUZqz9O9D7WbajjuNe/B 11UawAXJl8SK1rLkmoo4Bq+NWxfBPp0JsBMnbKIEbgIZDgKKvg/vGhh99tjn3C6t gPinQff5lTPf78bBurNVAlBOGQFRlul6o9HVSR5YN5ln6V/LRe6h5ABhAmygywqv xFGED7JDQlIWCXHcIKuCILo/hLzkccCaeJ1kBrdcJd0v9AKyCIp58CycBkfYKn+F 6O8CKDg75nDWpsrtIaFCeo7J3cQnw3H+bnC0H8QvWSEjlLsHUijFQiohdniOWsvf u3YH7UnWe/GX0wPTgnNnGfJkkojPlhp8MuB87bhVRvMfXddIAINCfeE98azgwr3v rRZf33ebabujL0tXnI45TwmKF2txq7LH3Ed4bhbBbU48juRfPAc0blXaSIED1z/6 3GkE4Amj =9LX1 -----END PGP SIGNATURE-----
--- End Message ---
