Bug#941530: jackson-databind: CVE-2019-16942 CVE-2019-16943
On 02/10 09:43, Salvatore Bonaccorso wrote: > Whilst I'm not yet sure if we should really release a futher DSA for > jackson-databind (we will come back to you on that), a possible idea > for bullseye (might be better cloned/filled as new bug, but want to > mention it here already): Let's do a DSA for this one. For future issues, we can choose to decide on DSA vs. point release on a case-by-case basis, depending on severity. Cheers, -- Seb
Processed: Re: Bug#941530: jackson-databind: CVE-2019-16942 CVE-2019-16943
Processing control commands: > clone 941530 -1 Bug #941530 [src:jackson-databind] jackson-databind: CVE-2019-16942 CVE-2019-16943 Bug 941530 cloned as bug 941662 > retitle -1 jackson-databind: consider using a whitelist Bug #941662 [src:jackson-databind] jackson-databind: CVE-2019-16942 CVE-2019-16943 Changed Bug title to 'jackson-databind: consider using a whitelist' from 'jackson-databind: CVE-2019-16942 CVE-2019-16943'. > severity -1 wishlist Bug #941662 [src:jackson-databind] jackson-databind: consider using a whitelist Severity set to 'wishlist' from 'grave' -- 941530: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941530 941662: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941662 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#941530: jackson-databind: CVE-2019-16942 CVE-2019-16943
Control: clone 941530 -1 Control: retitle -1 jackson-databind: consider using a whitelist Control: severity -1 wishlist Hi, Am 02.10.19 um 09:43 schrieb Salvatore Bonaccorso: [...] > Whilst I'm not yet sure if we should really release a futher DSA for > jackson-databind (we will come back to you on that), a possible idea > for bullseye (might be better cloned/filled as new bug, but want to > mention it here already): > > https://bugzilla.redhat.com/show_bug.cgi?id=1731271 > > Red Hat recently had fixed a CVE for codehaus. The approach they took > there was to rather continuing on jackson-databind side (that is my > interpretation), they started a whitelist approach on the applications > side which use jackson-databind. > > This might be something to consider for bullseye as well for the > reverse dependencies. Not sure if this is feasible in our case, but > this might be worth investigating. Good idea. Let's investigate this solution. I will track that in another bug report. Regards, Markus signature.asc Description: OpenPGP digital signature
Bug#941530: jackson-databind: CVE-2019-16942 CVE-2019-16943
Hi Markus, On Tue, Oct 01, 2019 at 10:46:16PM +0200, Markus Koschany wrote: > Hi Salvatore, > > Am 01.10.19 um 22:34 schrieb Salvatore Bonaccorso: > > Source: jackson-databind > > Version: 2.10.0-1 > > Severity: grave > > Tags: security upstream > > Justification: user security hole > > Forwarded: https://github.com/FasterXML/jackson-databind/issues/2478 > > Control: found -1 2.9.8-3 > > Control: found -1 2.8.6-1+deb9u5 > > Control: found -1 2.8.6-1 > > > > Hi, > > > > Tony, Markus, As it was already expected ;-). Upstream, whilst it > > affects as well 2.10.0, seemigly is not considering doing an update > > for 2.10 specifically but have fixed this one as well for older > > versions. Previous point, that this is just going to start to be silly > > upholds. > > > > That said, let's follow with the usual information: > > > > The following vulnerabilities were published for jackson-databind. > [...] > > First of all, thank you very much for taking care of reporting these issues. > > Please let me know if you think this is a DSA-worthy issue. Otherwise I > will just ask the release team for an update. Personally I believe we > can treat that as an important issue from now on. Whilst I'm not yet sure if we should really release a futher DSA for jackson-databind (we will come back to you on that), a possible idea for bullseye (might be better cloned/filled as new bug, but want to mention it here already): https://bugzilla.redhat.com/show_bug.cgi?id=1731271 Red Hat recently had fixed a CVE for codehaus. The approach they took there was to rather continuing on jackson-databind side (that is my interpretation), they started a whitelist approach on the applications side which use jackson-databind. This might be something to consider for bullseye as well for the reverse dependencies. Not sure if this is feasible in our case, but this might be worth investigating. Regards, Salvatore
Bug#941530: jackson-databind: CVE-2019-16942 CVE-2019-16943
Hi Salvatore, Am 01.10.19 um 22:34 schrieb Salvatore Bonaccorso: > Source: jackson-databind > Version: 2.10.0-1 > Severity: grave > Tags: security upstream > Justification: user security hole > Forwarded: https://github.com/FasterXML/jackson-databind/issues/2478 > Control: found -1 2.9.8-3 > Control: found -1 2.8.6-1+deb9u5 > Control: found -1 2.8.6-1 > > Hi, > > Tony, Markus, As it was already expected ;-). Upstream, whilst it > affects as well 2.10.0, seemigly is not considering doing an update > for 2.10 specifically but have fixed this one as well for older > versions. Previous point, that this is just going to start to be silly > upholds. > > That said, let's follow with the usual information: > > The following vulnerabilities were published for jackson-databind. [...] First of all, thank you very much for taking care of reporting these issues. Please let me know if you think this is a DSA-worthy issue. Otherwise I will just ask the release team for an update. Personally I believe we can treat that as an important issue from now on. Cheers, Markus signature.asc Description: OpenPGP digital signature
Bug#941530: jackson-databind: CVE-2019-16942 CVE-2019-16943
Source: jackson-databind Version: 2.10.0-1 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://github.com/FasterXML/jackson-databind/issues/2478 Control: found -1 2.9.8-3 Control: found -1 2.8.6-1+deb9u5 Control: found -1 2.8.6-1 Hi, Tony, Markus, As it was already expected ;-). Upstream, whilst it affects as well 2.10.0, seemigly is not considering doing an update for 2.10 specifically but have fixed this one as well for older versions. Previous point, that this is just going to start to be silly upholds. That said, let's follow with the usual information: The following vulnerabilities were published for jackson-databind. CVE-2019-16942[0]: | A Polymorphic Typing issue was discovered in FasterXML jackson- | databind 2.0.0 through 2.9.10. When Default Typing is enabled (either | globally or for a specific property) for an externally exposed JSON | endpoint and the service has the commons-dbcp (1.4) jar in the | classpath, and an attacker can find an RMI service endpoint to access, | it is possible to make the service execute a malicious payload. This | issue exists because of | org.apache.commons.dbcp.datasources.SharedPoolDataSource and | org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling. CVE-2019-16943[1]: | A Polymorphic Typing issue was discovered in FasterXML jackson- | databind 2.0.0 through 2.9.10. When Default Typing is enabled (either | globally or for a specific property) for an externally exposed JSON | endpoint and the service has the p6spy (3.8.6) jar in the classpath, | and an attacker can find an RMI service endpoint to access, it is | possible to make the service execute a malicious payload. This issue | exists because of com.p6spy.engine.spy.P6DataSource mishandling. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-16942 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16942 [1] https://security-tracker.debian.org/tracker/CVE-2019-16943 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16943 [2] https://github.com/FasterXML/jackson-databind/issues/2478 Regards, Salvatore