-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : jackson-databind Version : 2.4.2-2+deb8u6 CVE ID : CVE-2019-12086 Debian Bug : 929177
A Polymorphic Typing issue was discovered in jackson-databind, a JSON library for Java. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation. For Debian 8 "Jessie", this problem has been fixed in version 2.4.2-2+deb8u6. We recommend that you upgrade your jackson-databind packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlzj9iNfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeRb4w//XIsVU4oOTdq5J3UF5pe3NjlCDtV+j5xqVXVBj6rGWSdfmTw34XRzXWff X3wp9yszOCj+/uYroO95M7NQmMGBGq/z9CnDjf2DPcGszzzN0QrI1HZmJJR4TPA7 YCuGOStyNBZndXm/pIaG+Zs+LWrm3fbZ9ogGx/GdJWYSCdxYV9ykoEJFqyszjPVn 3BVZbfe5DhXraysX6GLeiq9WU3dRZ4LRPDODzfezcq7KhDYJCgvweffCQgiUy/AX oTaC9GF96TPSWqSkskR39s9fq7PDQvYoPDryu96w92WFOa/oDqU0oJIHND67qr/o Zm08UbSDw5pd1vFAVA3NNuh6jb6OdI887WhWICh++dALq9l7Ux+hSNO3yQwQ+gfi sWw4M768VsO+aEVOxH0TwBUSXAC0itMuW6Hd727d2JNWLZv12ErFomyKnYAGspMg G/z/cZOGg32aqNUcCVs9tzSqhDICTlJzreIlEphOoNnE9maiuOEwPyVT9WwENY+8 86HEdqx8YTKyt2RVjIpJAXzyKsUlfYg5QjJjwyCi7dlTN+ovo+41LCmAiDHtaCGk WhMFxiANFq1tXbJrIYVGUnLu7mclA0tcLV4BKQcjPk4xfZBQbsGFBOc3cvsFVe24 f52MFN0/R+cGB3E6j18pRWrhaOily0FhkqTVYYXCuzCtMNzAZPE= =JzGn -----END PGP SIGNATURE-----