Your message dated Fri, 23 Feb 2018 11:34:17 +0000
with message-id <e1epbch-0001yu...@fasolo.debian.org>
and subject line Bug#888316: fixed in jackson-databind 2.8.6-1+deb9u3
has caused the Debian Bug report #888316,
regarding jackson-databind: CVE-2018-5968
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
888316: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=888316
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: jackson-databind
Version: 2.9.1-1
Severity: grave
Tags: patch security upstream
Forwarded: https://github.com/FasterXML/jackson-databind/issues/1899
Control: found -1 2.8.6-1+deb9u2
Control: found -1 2.4.2-2+deb8u2

Hi,

the following vulnerability was published for jackson-databind.

CVE-2018-5968[0]:
| FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3
| allows unauthenticated remote code execution because of an incomplete
| fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws.
| This is exploitable via two different gadgets that bypass a blacklist.

The upstream issue is at [1], with upstrema fix [2]. If I see it
correctly with commit [3] the code was shuffled a bit around, so the
patched file is different in meanwhile. If you disagree on the
analysis, given I'm unfamiliar iwth jackson-databind let me know.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-5968
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5968
[1] https://github.com/FasterXML/jackson-databind/issues/1899
[2] 
https://github.com/FasterXML/jackson-databind/commit/038b471e2efde2e8f96b4e0be958d3e5a1ff1d05
[3] 
https://github.com/FasterXML/jackson-databind/commit/2235894210c75f624a3d0cd60bfb0434a20a18bf

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: jackson-databind
Source-Version: 2.8.6-1+deb9u3

We believe that the bug you reported is fixed in the latest version of
jackson-databind, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 888...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Markus Koschany <a...@debian.org> (supplier of updated jackson-databind package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 27 Jan 2018 19:12:39 +0100
Source: jackson-databind
Binary: libjackson2-databind-java libjackson2-databind-java-doc
Architecture: source all
Version: 2.8.6-1+deb9u3
Distribution: stretch-security
Urgency: high
Maintainer: Debian Java Maintainers 
<pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <a...@debian.org>
Description:
 libjackson2-databind-java - fast and powerful JSON library for Java -- data 
binding
 libjackson2-databind-java-doc - Documentation for jackson-databind
Closes: 888316 888318
Changes:
 jackson-databind (2.8.6-1+deb9u3) stretch-security; urgency=high
 .
   * Team upload.
   * Fix CVE-2017-17485 and CVE-2018-5968:
     Bybass of deserialization blackist to disallow unauthenticated remote code
     execution. These CVE exist due to an incomplete fix for CVE-2017-7525.
     (Closes: #888316, #888318)
Checksums-Sha1:
 0ad8f9644b1a4446dbbaa709de1ab2827d1b631e 2694 
jackson-databind_2.8.6-1+deb9u3.dsc
 7fa80128b6793f82a4982f0bab47b14cf68bf47a 8424 
jackson-databind_2.8.6-1+deb9u3.debian.tar.xz
 d4093936a3bf78a5e2c8377efc7323f1cb61cfa9 16475 
jackson-databind_2.8.6-1+deb9u3_amd64.buildinfo
 76e1f8e7470db4d505c39db3f857caebedfd39c0 1228842 
libjackson2-databind-java-doc_2.8.6-1+deb9u3_all.deb
 782823cff9a6a7a092dd3ef9d16a50d39ade14c0 1154694 
libjackson2-databind-java_2.8.6-1+deb9u3_all.deb
Checksums-Sha256:
 61aa763d90694a021239bb6ee80400657ab467d76fbe82c6d6333db0d64d3912 2694 
jackson-databind_2.8.6-1+deb9u3.dsc
 00ab252cfc0253a28dc7e73248302bc1d717f23b43e25fbd8ce6c7fe6b260e82 8424 
jackson-databind_2.8.6-1+deb9u3.debian.tar.xz
 b8a011e559004daf812f3f42b111ffad035b803cf6049b4e090d833f8f8215f0 16475 
jackson-databind_2.8.6-1+deb9u3_amd64.buildinfo
 60457f1efdda8be7c7d8e73f670d809b6aa0d73746f3ab6cd0940de7477883a7 1228842 
libjackson2-databind-java-doc_2.8.6-1+deb9u3_all.deb
 cecd0c322485064fa6e2b158aa9a1f57050ca7ac4255cddd18c5e25e2cad55d5 1154694 
libjackson2-databind-java_2.8.6-1+deb9u3_all.deb
Files:
 5583ccd0f59a9b0ac6ea6bd4db89f101 2694 java optional 
jackson-databind_2.8.6-1+deb9u3.dsc
 c12d0d8ab5995da693eab7977b85adfd 8424 java optional 
jackson-databind_2.8.6-1+deb9u3.debian.tar.xz
 6f6a35c72bbc2e9402f4e0e79291032b 16475 java optional 
jackson-databind_2.8.6-1+deb9u3_amd64.buildinfo
 6b67fd4e9736c7d5419df1c848c214fe 1228842 doc optional 
libjackson2-databind-java-doc_2.8.6-1+deb9u3_all.deb
 0b83a8e190c67fb6ae0208edf2c27548 1154694 java optional 
libjackson2-databind-java_2.8.6-1+deb9u3_all.deb

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlqAeNhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkSogQALQgt9lAfVsUpMca7ix6eCgys/87J7yO311k
oyOnHDoMYl9jXJtpZfL9XVPb3tYSSY23ZLKjeQuEI+oIxBA3hbgYzADrswSz6Etm
rArSWRfpviHr3nAQJWbgRFlZYPSsOJ5jrWJN3wJFGJ6vzwofjbd3w5s+MLogUdm8
demLgmi7K+/CCdwh1dUQK+D74YS1askWATRXCLyNvD4MdQNbxfFAbjciUGDW4B1K
PV/d2bJqKzDXZrOpXSfi9njgokpqniLTWPU3thbCnx412vDu3GzrYq0uh5oiiMi6
/C8+richa5PE0uAkr2c3haReSaEa4/YFBHBxXGlMERzsS0TUI6To+2jAxMsTp1qM
dcnyAmB6HoArfR51Iu0hoKg4roR2UW2UUOhUNX6YtNeh1FpcR5bo7ntuvss4LvIn
ztey44fUagSiuliwRmrT5KqzzhEQM1sPflxRMLqYVxo6P5mj60FTv51y5bhyf2Qu
uym0Nnk9yUQhdkrocTfzs47U1dVyyf+tSvQ7cfoj/z7PGSHZoIJRLgFim+hbQJ+Z
D2f/VZmqH0O4dwzHzGLH2EWIaHjSZ/sOIartbQ8VrGZoJIl0+OdZupexZvF5i95M
Z/LGfnAalqT0ZiDtPONRwnfPCa5X4/JGua1YTKFz55n2CMgx0N3jpBYBOUBCx35V
VOcFfDkI
=68UA
-----END PGP SIGNATURE-----

--- End Message ---
__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Reply via email to