[Git][java-team/jackson-databind][stretch] Import Debian changes 2.8.6-1+deb9u6

Markus Koschany gitlab at salsa.debian.org
Thu Jul 9 15:28:01 BST 2020 


Markus Koschany pushed to branch stretch at Debian Java Maintainers / jackson-databind


Commits:
b7ef4f68 by Markus Koschany at 2020-07-09T16:27:22+02:00
Import Debian changes 2.8.6-1+deb9u6

jackson-databind (2.8.6-1+deb9u6) stretch-security; urgency=high
..
  * Fix CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, CVE-2019-14439,
    CVE-2019-14540, CVE-2019-16335, CVE-2019-16942 and CVE-2019-16943.
    Several deserialization flaws were discovered in jackson-databind which
    could allow an unauthenticated user to perform code execution. The issue
    was resolved by extending the blacklist and blocking more classes from
    polymorphic deserialization.

- - - - -


3 changed files:

- debian/changelog
- + debian/patches/polymorphic-typing-issues.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,14 @@
+jackson-databind (2.8.6-1+deb9u6) stretch-security; urgency=high
+
+  * Fix CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, CVE-2019-14439,
+    CVE-2019-14540, CVE-2019-16335, CVE-2019-16942 and CVE-2019-16943.
+    Several deserialization flaws were discovered in jackson-databind which
+    could allow an unauthenticated user to perform code execution. The issue
+    was resolved by extending the blacklist and blocking more classes from
+    polymorphic deserialization.
+
+ -- Markus Koschany <apo at debian.org>  Sat, 05 Oct 2019 19:21:48 +0200
+
 jackson-databind (2.8.6-1+deb9u5) stretch-security; urgency=high
 
   * Team upload.


=====================================
debian/patches/polymorphic-typing-issues.patch
=====================================
@@ -0,0 +1,54 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sat, 5 Oct 2019 19:15:03 +0200
+Subject: polymorphic typing issues
+
+This is the fix for CVE-2019-12384, CVE-2019-12814, CVE-2019-14379,
+CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943
+---
+ .../databind/deser/BeanDeserializerFactory.java    | 33 ++++++++++++++++++++++
+ 1 file changed, 33 insertions(+)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+index c22653a..77d426c 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
++++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+@@ -103,6 +103,39 @@ public class BeanDeserializerFactory
+         // [databind#2326] (2.9.9): one more 3rd party gadget
+         s.add("com.mysql.cj.jdbc.admin.MiniAdmin");
+ 
++        // [databind#2334]: logback-core
++        s.add("ch.qos.logback.core.db.DriverManagerConnectionSource");
++
++        // [databind#2341]: jdom/jdom2
++        s.add("org.jdom.transform.XSLTransformer");
++        s.add("org.jdom2.transform.XSLTransformer");
++
++        // [databind#2387]: EHCache
++        s.add("net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup");
++
++        // [databind#2389]: logback/jndi
++        s.add("ch.qos.logback.core.db.JNDIConnectionSource");
++
++        // [databind#2410]: HikariCP/metricRegistry config
++        s.add("com.zaxxer.hikari.HikariConfig");
++
++        // [databind#2449]: and sub-class thereof
++        s.add("com.zaxxer.hikari.HikariDataSource");
++
++        // [databind#2420]: CXF/JAX-RS provider/XSLT
++        s.add("org.apache.cxf.jaxrs.provider.XSLTJaxbProvider");
++
++        // [databind#2462]: commons-configuration / -2
++        s.add("org.apache.commons.configuration.JNDIConfiguration");
++        s.add("org.apache.commons.configuration2.JNDIConfiguration");
++
++        // [databind#2469]: xalan2
++        s.add("org.apache.xalan.lib.sql.JNDIConnectionPool");
++
++        // [databind#2478]: comons-dbcp, p6spy
++        s.add("org.apache.commons.dbcp.datasources.SharedPoolDataSource");
++        s.add("com.p6spy.engine.spy.P6DataSource");
++
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
+ 


=====================================
debian/patches/series
=====================================
@@ -10,3 +10,4 @@ CVE-2018-12022.patch
 CVE-2018-14718.patch
 CVE-2018-19360.patch
 CVE-2019-12086.patch
+polymorphic-typing-issues.patch



View it on GitLab: https://salsa.debian.org/java-team/jackson-databind/-/commit/b7ef4f68e1e14e5df5bc06e39ccb4fef7ee9354a

-- 
View it on GitLab: https://salsa.debian.org/java-team/jackson-databind/-/commit/b7ef4f68e1e14e5df5bc06e39ccb4fef7ee9354a
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20200709/bfac3d2c/attachment.html>

More information about the pkg-java-commits mailing list