Source: jackson-databind
Version: 2.9.1-1
Severity: grave
Tags: patch security upstream
Forwarded: https://github.com/FasterXML/jackson-databind/issues/1899
Control: found -1 2.8.6-1+deb9u2
Control: found -1 2.4.2-2+deb8u2

Hi,

the following vulnerability was published for jackson-databind.

CVE-2018-5968[0]:
| FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3
| allows unauthenticated remote code execution because of an incomplete
| fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws.
| This is exploitable via two different gadgets that bypass a blacklist.

The upstream issue is at [1], with upstrema fix [2]. If I see it
correctly with commit [3] the code was shuffled a bit around, so the
patched file is different in meanwhile. If you disagree on the
analysis, given I'm unfamiliar iwth jackson-databind let me know.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-5968
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5968
[1] https://github.com/FasterXML/jackson-databind/issues/1899
[2] 
https://github.com/FasterXML/jackson-databind/commit/038b471e2efde2e8f96b4e0be958d3e5a1ff1d05
[3] 
https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf

Regards,
Salvatore

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to