Bug#929457: marked as done (unblock: jackson-databind/2.9.8-2)

[Debian Bug Tracking System]

Your message dated Thu, 23 May 2019 20:15:00 +0000
with message-id <0242fa58-0b4d-69e1-0300-47449c407...@thykier.net>
and subject line Re: Bug#929457: unblock: jackson-databind/2.9.8-2
has caused the Debian Bug report #929457,
regarding unblock: jackson-databind/2.9.8-2
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
929457: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929457
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock

Please unblock package jackson-databind

Hi,

I have fixed CVE-2019-12086 in jackson-databind. Please find attached
the debdiff.

Regards,

Markus


unblock jackson-databind/2.9.8-2

-- System Information:
Debian Release: 10.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-9-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: unable to detect

diff -Nru jackson-databind-2.9.8/debian/changelog 
jackson-databind-2.9.8/debian/changelog
--- jackson-databind-2.9.8/debian/changelog     2018-12-30 11:03:14.000000000 
+0100
+++ jackson-databind-2.9.8/debian/changelog     2019-05-18 20:31:28.000000000 
+0200
@@ -1,3 +1,18 @@
+jackson-databind (2.9.8-2) unstable; urgency=medium
+
+  * Team upload.
+  * Fix CVE-2019-12086:
+    A Polymorphic Typing issue was discovered in jackson-databind. When
+    Default Typing is enabled (either globally or for a specific property) for
+    an externally exposed JSON endpoint, the service has the
+    mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an
+    attacker can host a crafted MySQL server reachable by the victim, an
+    attacker can send a crafted JSON message that allows them to read arbitrary
+    local files on the server. This occurs because of missing
+    com.mysql.cj.jdbc.admin.MiniAdmin validation. (Closes: #929177)
+
+ -- Markus Koschany <a...@debian.org>  Sat, 18 May 2019 20:31:28 +0200
+
 jackson-databind (2.9.8-1) unstable; urgency=medium
 
   * Team upload.
diff -Nru jackson-databind-2.9.8/debian/patches/CVE-2019-12086.patch 
jackson-databind-2.9.8/debian/patches/CVE-2019-12086.patch
--- jackson-databind-2.9.8/debian/patches/CVE-2019-12086.patch  1970-01-01 
01:00:00.000000000 +0100
+++ jackson-databind-2.9.8/debian/patches/CVE-2019-12086.patch  2019-05-18 
20:31:28.000000000 +0200
@@ -0,0 +1,25 @@
+From: Markus Koschany <a...@debian.org>
+Date: Sat, 18 May 2019 20:29:23 +0200
+Subject: CVE-2019-12086
+
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929177
+Bug-Upstream: https://github.com/FasterXML/jackson-databind/issues/2326
+Origin: 
https://github.com/FasterXML/jackson-databind/commit/dda513bd7251b4f32b7b60b1c13740e3b5a43024
+---
+ .../com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git 
a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
 
b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index 30adb94..a17cdf5 100644
+--- 
a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ 
b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -80,6 +80,9 @@ public class SubTypeValidator
+         s.add("org.apache.openjpa.ee.JNDIManagedRuntime");
+         s.add("org.apache.axis2.transport.jms.JMSOutTransportInfo");
+ 
++        // [databind#2326] (2.9.9): one more 3rd party gadget
++        s.add("com.mysql.cj.jdbc.admin.MiniAdmin");
++
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
+ 
diff -Nru jackson-databind-2.9.8/debian/patches/series 
jackson-databind-2.9.8/debian/patches/series
--- jackson-databind-2.9.8/debian/patches/series        1970-01-01 
01:00:00.000000000 +0100
+++ jackson-databind-2.9.8/debian/patches/series        2019-05-18 
20:31:28.000000000 +0200
@@ -0,0 +1 @@
+CVE-2019-12086.patch

--- End Message ---

--- Begin Message ---

Markus Koschany:
> Package: release.debian.org
> Severity: normal
> User: release.debian....@packages.debian.org
> Usertags: unblock
> 
> Please unblock package jackson-databind
> 
> Hi,
> 
> I have fixed CVE-2019-12086 in jackson-databind. Please find attached
> the debdiff.
> 
> Regards,
> 
> Markus
> 
> 
> unblock jackson-databind/2.9.8-2
> 
> [...]

Unblocked, thanks.
~Niels

--- End Message ---