Your message dated Thu, 03 Oct 2019 14:49:11 +0000 with message-id <e1ig2pn-000du8...@fasolo.debian.org> and subject line Bug#941530: fixed in jackson-databind 2.10.0-2 has caused the Debian Bug report #941530, regarding jackson-databind: CVE-2019-16942 CVE-2019-16943 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 941530: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=941530 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: jackson-databind Version: 2.10.0-1 Severity: grave Tags: security upstream Justification: user security hole Forwarded: https://github.com/FasterXML/jackson-databind/issues/2478 Control: found -1 2.9.8-3 Control: found -1 2.8.6-1+deb9u5 Control: found -1 2.8.6-1 Hi, Tony, Markus, As it was already expected ;-). Upstream, whilst it affects as well 2.10.0, seemigly is not considering doing an update for 2.10 specifically but have fixed this one as well for older versions. Previous point, that this is just going to start to be silly upholds. That said, let's follow with the usual information: The following vulnerabilities were published for jackson-databind. CVE-2019-16942[0]: | A Polymorphic Typing issue was discovered in FasterXML jackson- | databind 2.0.0 through 2.9.10. When Default Typing is enabled (either | globally or for a specific property) for an externally exposed JSON | endpoint and the service has the commons-dbcp (1.4) jar in the | classpath, and an attacker can find an RMI service endpoint to access, | it is possible to make the service execute a malicious payload. This | issue exists because of | org.apache.commons.dbcp.datasources.SharedPoolDataSource and | org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling. CVE-2019-16943[1]: | A Polymorphic Typing issue was discovered in FasterXML jackson- | databind 2.0.0 through 2.9.10. When Default Typing is enabled (either | globally or for a specific property) for an externally exposed JSON | endpoint and the service has the p6spy (3.8.6) jar in the classpath, | and an attacker can find an RMI service endpoint to access, it is | possible to make the service execute a malicious payload. This issue | exists because of com.p6spy.engine.spy.P6DataSource mishandling. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-16942 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16942 [1] https://security-tracker.debian.org/tracker/CVE-2019-16943 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16943 [2] https://github.com/FasterXML/jackson-databind/issues/2478 Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: jackson-databind Source-Version: 2.10.0-2 We believe that the bug you reported is fixed in the latest version of jackson-databind, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 941...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated jackson-databind package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 03 Oct 2019 15:48:58 +0200 Source: jackson-databind Architecture: source Version: 2.10.0-2 Distribution: unstable Urgency: high Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Closes: 941530 Changes: jackson-databind (2.10.0-2) unstable; urgency=high . * Fix CVE-2019-16942 and CVE-2019-16943. Block two more gadget types (commons-dbcp, p6spy). (Closes: #941530) Checksums-Sha1: d85a666c27064d71ab0a5a528048f168c956f2d2 2689 jackson-databind_2.10.0-2.dsc 30339c21d3c94c48628de2a4b54e9ae5f873b054 5728 jackson-databind_2.10.0-2.debian.tar.xz d98b146913d8808dbd2e0bdcccdbe7e7b70191ce 16739 jackson-databind_2.10.0-2_amd64.buildinfo Checksums-Sha256: 04812f6aa9d6e61734e8a606ce52f2a0f87bc935ce3bcd656528717105b2f7de 2689 jackson-databind_2.10.0-2.dsc 47bf0995591e22eddbf88c6cc667b541ca3017283e322fae2391c8ee7879adaa 5728 jackson-databind_2.10.0-2.debian.tar.xz 85edf15e6ea4bc7b4c245b6d7da37a46256d031ff5d30ff1670c1f9a3b119fa7 16739 jackson-databind_2.10.0-2_amd64.buildinfo Files: 528202d799d565ae1eb6b497f6c648c4 2689 java optional jackson-databind_2.10.0-2.dsc 80a5ff7a070945482adb08216d926d8e 5728 java optional jackson-databind_2.10.0-2.debian.tar.xz 25ed8b301bf006352a4fa95300e23740 16739 java optional jackson-databind_2.10.0-2_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl2V/+RfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1HkiEQQAKTEqNrBPAyZL/nu8ShcPqskLTKQwmCwvEbq hIttym9ci09fvUi6uH0n9zW7JklGmYP+MeunY0es5fp6g2fWGtamnepZTLd9U3bI AjWLsBh6B1H+I0aUbNsQe1ZH5c7jQKcYxFI72RspzzQe6cCFl5R4DVqOGQwwFkRM zmS2V8ZpdOvYHGsy3sUmKceo1qrFxArl4g5eDIKB2D+OTkBs1eLluRoTgoCGtRcc PK2L/W1vBRaat+fEyYpQ3hRhq50I5gqi1ZHvdZqxdSavap+h8ZREK3pvAKHdGMXL NVrSIYagB0i0KqlTEA0NuOwc/Q/Q0gQERXc9WA7GHvjfHp1T8juMNqeyeAgJyWm7 ILIgdylpF4QhPpX9n1sFa29yBB9FErMAdj7238E4mgWpxZv+3HUQd5WRUwrCaWcA Ar7AH+e7m6QU13bC29dhgNGLgg3y0BAk4E5vXDLV/wk71gBbVqFxbZXC7Zkj+n2C cfZKP3jtDH2DeQgBEJEWfLlB0rV/S0g9sB1fQ8xD7NNw5U0aubD4040cg0VlBHdp z8CnduOAVGPM9CyM+MyvLogF14E7/VftSUH3wFeBKCL8eFl2SomTo69qrdmxosZ1 FiiOO+8C5EUohBTH5EWBUjGgfKfHw59laA9dv8Y8RU3Zlgf84Ig8612ypZ06M9Lz yQdMODv8 =kozU -----END PGP SIGNATURE-----
--- End Message ---
