Bug#961298: jodd: CVE-2018-21234: Potential vulnerability in JSON deserialization
Hi Emmanuel, On Sat, May 30, 2020 at 02:50:32PM +0200, Emmanuel Bourg wrote: > Control: severity -1 important > > Le 22/05/2020 à 22:51, Salvatore Bonaccorso a écrit : > > > The following vulnerability was published for jodd. I'm filling it as > > RC severity since altough one might dispute the severity for the issue > > itself, it looks that in Debian there was ever only one upload of > > jodd, there are no reverse (build) dependencies neither. > > > > Is the package acutally of some use or planned use? > > Thank you for the report Salvatore. > > jodd is a new dependency of JMeter 3, I haven't finished the packaging yet. > > Note that the fix for CVE-2018-21234 merely adds an optional > whitelisting feature to check the classes being deserialized. But the > default behavior is still the same (no check), so the charge of > addressing the vulnerability is actually shifted to the applications > using jodd. Back when we lowered the severity this above was the reasoning, but jmeter 3 is not in bullseye. So should we remove src:yodd to at least not be included in bullseye? According to dak this is no problem to do: carnil@coccia:~$ dak rm --suite=testing -n -R jodd Will remove the following packages from testing: jodd | 3.8.6-1.1 | source libjodd-java | 3.8.6-1.1 | all Maintainer: Debian Java Maintainers --- Reason --- -- Checking reverse dependencies... No dependency problem found. carnil@coccia:~$ Regards, Salvatore
Bug#961298: jodd: CVE-2018-21234: Potential vulnerability in JSON deserialization
Control: severity -1 important Le 22/05/2020 à 22:51, Salvatore Bonaccorso a écrit : > The following vulnerability was published for jodd. I'm filling it as > RC severity since altough one might dispute the severity for the issue > itself, it looks that in Debian there was ever only one upload of > jodd, there are no reverse (build) dependencies neither. > > Is the package acutally of some use or planned use? Thank you for the report Salvatore. jodd is a new dependency of JMeter 3, I haven't finished the packaging yet. Note that the fix for CVE-2018-21234 merely adds an optional whitelisting feature to check the classes being deserialized. But the default behavior is still the same (no check), so the charge of addressing the vulnerability is actually shifted to the applications using jodd. Emmanuel Bourg
Bug#961298: jodd: CVE-2018-21234: Potential vulnerability in JSON deserialization
Source: jodd Version: 3.8.6-1 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://github.com/oblac/jodd/issues/628 Hi, The following vulnerability was published for jodd. I'm filling it as RC severity since altough one might dispute the severity for the issue itself, it looks that in Debian there was ever only one upload of jodd, there are no reverse (build) dependencies neither. Is the package acutally of some use or planned use? CVE-2018-21234[0]: | Jodd before 5.0.4 performs Deserialization of Untrusted JSON Data when | setClassMetadataName is set. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2018-21234 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-21234 [1] https://github.com/oblac/jodd/issues/628 Regards, Salvatore