Your message dated Sat, 01 Aug 2020 12:51:28 +0100
with message-id
<43535efb498a168cf81452ca0c326f004f46adc6.ca...@adam-barratt.org.uk>
and subject line Closing bugs for fixes included in 10.5 point release
has caused the Debian Bug report #964726,
regarding buster-pu: package jackson-databind/2.9.8-3+deb10u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
964726: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964726
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: buster
User: [email protected]
Usertags: pu
Dear release team,
I would like to update jackson-databind in Buster. It is currently
affected by 20 CVE which are deemed as no-dsa by the security team.
I have added a patch that extends the blacklist to block more classes
from polymorphic deserialization.
Regards,
Markus
diff -Nru jackson-databind-2.9.8/debian/changelog
jackson-databind-2.9.8/debian/changelog
--- jackson-databind-2.9.8/debian/changelog 2019-10-05 19:39:24.000000000
+0200
+++ jackson-databind-2.9.8/debian/changelog 2020-07-09 17:21:32.000000000
+0200
@@ -1,9 +1,22 @@
+jackson-databind (2.9.8-3+deb10u2) buster; urgency=medium
+
+ * Add multiple-CVE-BeanDeserializerFactory.patch and block more classes from
+ polymorphic deserialization.
+ This fixes 20 CVE that currently affect the package namely,
+ CVE-2020-9548, CVE-2020-9547, CVE-2020-9546, CVE-2020-8840, CVE-2020-14195,
+ CVE-2020-14062, CVE-2020-14061, CVE-2020-14060, CVE-2020-11620,
+ CVE-2020-11619, CVE-2020-11113, CVE-2020-11112, CVE-2020-11111,
+ CVE-2020-10969, CVE-2020-10968, CVE-2020-10673, CVE-2020-10672,
+ CVE-2019-20330, CVE-2019-17531 and CVE-2019-17267.
+
+ -- Markus Koschany <[email protected]> Thu, 09 Jul 2020 17:21:32 +0200
+
jackson-databind (2.9.8-3+deb10u1) buster-security; urgency=high
- * Fix CVE-2019-12384, CVE-2019-14439, CVE-2019-14540, CVE-2019-16335,
+ * Fix CVE-2019-12384, CVE-2019-14439, CVE-2019-14540, CVE-2019-16335,
CVE-2019-16942 and CVE-2019-16943. Several deserialization flaws
- were discovered in jackson-databind which could allow an
- unauthenticated user to perform code execution. The issue was
+ were discovered in jackson-databind which could allow an
+ unauthenticated user to perform code execution. The issue was
resolved by extending the blacklist and blocking more classes from
polymorphic deserialization.
diff -Nru
jackson-databind-2.9.8/debian/patches/multiple-CVE-SubTypeValidator.patch
jackson-databind-2.9.8/debian/patches/multiple-CVE-SubTypeValidator.patch
--- jackson-databind-2.9.8/debian/patches/multiple-CVE-SubTypeValidator.patch
1970-01-01 01:00:00.000000000 +0100
+++ jackson-databind-2.9.8/debian/patches/multiple-CVE-SubTypeValidator.patch
2020-07-09 17:21:32.000000000 +0200
@@ -0,0 +1,151 @@
+From: Markus Koschany <[email protected]>
+Date: Thu, 9 Jul 2020 16:54:40 +0200
+Subject: multiple CVE SubTypeValidator
+
+This is the fix for
+CVE-2020-9548, CVE-2020-9547, CVE-2020-9546, CVE-2020-8840, CVE-2020-14195,
+CVE-2020-14062, CVE-2020-14061, CVE-2020-14060, CVE-2020-11620, CVE-2020-11619,
+CVE-2020-11113, CVE-2020-11112, CVE-2020-11111, CVE-2020-10969, CVE-2020-10968,
+CVE-2020-10673, CVE-2020-10672, CVE-2019-20330, CVE-2019-17531 and
+CVE-2019-17267.
+---
+ .../databind/jsontype/impl/SubTypeValidator.java | 93 ++++++++++++++++++++--
+ 1 file changed, 87 insertions(+), 6 deletions(-)
+
+diff --git
a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index d638af9..1d091a7 100644
+---
a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++
b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -49,6 +49,9 @@ public class SubTypeValidator
+ // [databind#1737]; 3rd party
+
//s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor");
// deprecated by [databind#1855]
+
s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
++ // [databind#2680]
++ s.add("org.springframework.aop.config.MethodLocatingFactoryBean");
++
s.add("org.springframework.beans.factory.config.BeanReferenceFactoryBean");
+
+ // s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); // deprecated by
[databind#1931]
+ // s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); // - "" -
+@@ -74,24 +77,26 @@ public class SubTypeValidator
+ s.add("com.sun.deploy.security.ruleset.DRSHelper");
+ s.add("org.apache.axis2.jaxws.spi.handler.HandlerResolverImpl");
+
+- // [databind#2186]: yet more 3rd party gadgets
++ // [databind#2186], [databind#2670]: yet more 3rd party gadgets
+ s.add("org.jboss.util.propertyeditor.DocumentEditor");
+ s.add("org.apache.openjpa.ee.RegistryManagedRuntime");
+ s.add("org.apache.openjpa.ee.JNDIManagedRuntime");
++ s.add("org.apache.openjpa.ee.WASRegistryManagedRuntime"); // [#2670]
addition
+ s.add("org.apache.axis2.transport.jms.JMSOutTransportInfo");
+
+- // [databind#2326] (2.9.9): one more 3rd party gadget
++ // [databind#2326] (2.9.9)
+ s.add("com.mysql.cj.jdbc.admin.MiniAdmin");
+
+- // [databind#2334]: logback-core
++ // [databind#2334]: logback-core (2.9.9.1)
+ s.add("ch.qos.logback.core.db.DriverManagerConnectionSource");
+
+- // [databind#2341]: jdom/jdom2
++ // [databind#2341]: jdom/jdom2 (2.9.9.1)
+ s.add("org.jdom.transform.XSLTransformer");
+ s.add("org.jdom2.transform.XSLTransformer");
+
+- // [databind#2387]: EHCache
++ // [databind#2387], [databind#2460]: EHCache
+
s.add("net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup");
++ s.add("net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup");
+
+ // [databind#2389]: logback/jndi
+ s.add("ch.qos.logback.core.db.JNDIConnectionSource");
+@@ -108,13 +113,89 @@ public class SubTypeValidator
+ s.add("org.apache.commons.configuration.JNDIConfiguration");
+ s.add("org.apache.commons.configuration2.JNDIConfiguration");
+
+- // [databind#2469]: xalan2
++ // [databind#2469]: xalan
+ s.add("org.apache.xalan.lib.sql.JNDIConnectionPool");
++ // [databind#2704]: xalan2
++ s.add("com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool");
+
+ // [databind#2478]: comons-dbcp, p6spy
++ s.add("org.apache.commons.dbcp.datasources.PerUserPoolDataSource");
+ s.add("org.apache.commons.dbcp.datasources.SharedPoolDataSource");
+ s.add("com.p6spy.engine.spy.P6DataSource");
+
++ // [databind#2498]: log4j-extras (1.2)
++ s.add("org.apache.log4j.receivers.db.DriverManagerConnectionSource");
++ s.add("org.apache.log4j.receivers.db.JNDIConnectionSource");
++
++ // [databind#2526]: some more ehcache
++
s.add("net.sf.ehcache.transaction.manager.selector.GenericJndiSelector");
++
s.add("net.sf.ehcache.transaction.manager.selector.GlassfishSelector");
++
++ // [databind#2620]: xbean-reflect
++ s.add("org.apache.xbean.propertyeditor.JndiConverter");
++
++ // [databind#2631]: shaded hikari-config
++ s.add("org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig");
++
++ // [databind#2634]: ibatis-sqlmap, anteros-core
++
s.add("com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig");
++ s.add("br.com.anteros.dbcp.AnterosDBCPConfig");
++
++ // [databind#2642]: javax.swing (jdk)
++ s.add("javax.swing.JEditorPane");
++
++ // [databind#2648], [databind#2653]: shire-core
++ s.add("org.apache.shiro.realm.jndi.JndiRealmFactory");
++ s.add("org.apache.shiro.jndi.JndiObjectFactory");
++
++ // [databind#2658]: ignite-jta (, quartz-core)
++ s.add("org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup");
++ s.add("org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory");
++ s.add("org.quartz.utils.JNDIConnectionProvider");
++
++ // [databind#2659]: aries.transaction.jms
++
s.add("org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory");
++
s.add("org.apache.aries.transaction.jms.RecoverablePooledConnectionFactory");
++
++ // [databind#2660]: caucho-quercus
++ s.add("com.caucho.config.types.ResourceRef");
++
++ // [databind#2662]: aoju/bus-proxy
++ s.add("org.aoju.bus.proxy.provider.RmiProvider");
++ s.add("org.aoju.bus.proxy.provider.remoting.RmiProvider");
++
++ // [databind#2664]: activemq-core, activemq-pool, activemq-pool-jms
++
++ s.add("org.apache.activemq.ActiveMQConnectionFactory"); // core
++ s.add("org.apache.activemq.ActiveMQXAConnectionFactory");
++ s.add("org.apache.activemq.spring.ActiveMQConnectionFactory");
++ s.add("org.apache.activemq.spring.ActiveMQXAConnectionFactory");
++ s.add("org.apache.activemq.pool.JcaPooledConnectionFactory"); // pool
++ s.add("org.apache.activemq.pool.PooledConnectionFactory");
++ s.add("org.apache.activemq.pool.XaPooledConnectionFactory");
++ s.add("org.apache.activemq.jms.pool.XaPooledConnectionFactory"); //
pool-jms
++ s.add("org.apache.activemq.jms.pool.JcaPooledConnectionFactory");
++ // [databind#2666]: apache/commons-jms
++ s.add("org.apache.commons.proxy.provider.remoting.RmiProvider");
++
++ // [databind#2682]: commons-jelly
++ s.add("org.apache.commons.jelly.impl.Embedded");
++
++ // [databind#2688]: apache/drill
++ s.add("oadd.org.apache.xalan.lib.sql.JNDIConnectionPool");
++
++ // [databind#2698]: weblogic w/ oracle/aq-jms
++ // (note: dependency not available via Maven Central, but as part of
++ // weblogic installation, possibly fairly old version(s))
++ s.add("oracle.jms.AQjmsQueueConnectionFactory");
++ s.add("oracle.jms.AQjmsXATopicConnectionFactory");
++ s.add("oracle.jms.AQjmsTopicConnectionFactory");
++ s.add("oracle.jms.AQjmsXAQueueConnectionFactory");
++ s.add("oracle.jms.AQjmsXAConnectionFactory");
++
++ // [databind#2764]: org.jsecurity:
++ s.add("org.jsecurity.realm.jndi.JndiRealmFactory");
++
+ DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+ }
+
diff -Nru jackson-databind-2.9.8/debian/patches/series
jackson-databind-2.9.8/debian/patches/series
--- jackson-databind-2.9.8/debian/patches/series 2019-10-05
19:39:24.000000000 +0200
+++ jackson-databind-2.9.8/debian/patches/series 2020-07-09
17:21:32.000000000 +0200
@@ -2,3 +2,4 @@
CVE-2019-12384.patch
CVE-2019-12814.patch
polymorphic-typing-issues.patch
+multiple-CVE-SubTypeValidator.patch
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 10.5
Hi,
Each of these bugs relates to an update that was included in today's
stable point release.
Regards,
Adam
--- End Message ---
