Source: jackson-databind Version: 2.9.1-1 Severity: grave Tags: security upstream Forwarded: https://github.com/FasterXML/jackson-databind/issues/1855
Hi, the following vulnerability was published for jackson-databind. CVE-2017-17485[0]: | FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 | allows unauthenticated remote code execution because of an incomplete | fix for the CVE-2017-7525 deserialization flaw. This is exploitable by | sending maliciously crafted JSON input to the readValue method of the | ObjectMapper, bypassing a blacklist that is ineffective if the Spring | libraries are available in the classpath. Please note in the security-tracker we initially marked this issue as not-affected, since Red Hat claimed in [2] that it was a incomplete fix specific to some Red Hat packages. Could you double-check this and in case this bug was wronly open report back? But it looks that the corresponding changes would as well be missing from the Debian package. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2017-17485 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17485 [1] https://github.com/FasterXML/jackson-databind/issues/1855 [2] https://bugzilla.redhat.com/show_bug.cgi?id=1528565#c0 Please adjust the affected versions in the BTS as needed, in particular no check for stable and oldstable has been done yet. Regards, Salvatore __ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
