Processed: Re: Bug#961298: jodd: CVE-2018-21234: Potential vulnerability in JSON deserialization
Processing control commands: > severity -1 important Bug #961298 [src:jodd] jodd: CVE-2018-21234: Potential vulnerability in JSON deserialization Severity set to 'important' from 'grave' -- 961298: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=961298 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#961298: jodd: CVE-2018-21234: Potential vulnerability in JSON deserialization
Control: severity -1 important Le 22/05/2020 à 22:51, Salvatore Bonaccorso a écrit : > The following vulnerability was published for jodd. I'm filling it as > RC severity since altough one might dispute the severity for the issue > itself, it looks that in Debian there was ever only one upload of > jodd, there are no reverse (build) dependencies neither. > > Is the package acutally of some use or planned use? Thank you for the report Salvatore. jodd is a new dependency of JMeter 3, I haven't finished the packaging yet. Note that the fix for CVE-2018-21234 merely adds an optional whitelisting feature to check the classes being deserialized. But the default behavior is still the same (no check), so the charge of addressing the vulnerability is actually shifted to the applications using jodd. Emmanuel Bourg
Bug#961298: jodd: CVE-2018-21234: Potential vulnerability in JSON deserialization
Source: jodd Version: 3.8.6-1 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://github.com/oblac/jodd/issues/628 Hi, The following vulnerability was published for jodd. I'm filling it as RC severity since altough one might dispute the severity for the issue itself, it looks that in Debian there was ever only one upload of jodd, there are no reverse (build) dependencies neither. Is the package acutally of some use or planned use? CVE-2018-21234[0]: | Jodd before 5.0.4 performs Deserialization of Untrusted JSON Data when | setClassMetadataName is set. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-21234 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-21234 [1] https://github.com/oblac/jodd/issues/628 Regards, Salvatore