Bug#888316: jackson-databind: CVE-2018-5968
Sébastien Delafond
seb at debian.org
Sun Feb 11 07:42:08 UTC 2018
On Jan/27, Markus Koschany wrote:
> I have prepared security updates of jackson-databind for Stretch and
> Jessie and would appreciate another look at the patches.
>
> The fix for CVE-2018-5968 is straightforward. The blacklist is simply
> extended.
>
> However upstream decided to refactor the code for CVE-2017-17485 and I
> decided to apply the changes to BeanDeserializerFactory.java again
> instead of using the new helper class SubTypeValidator. Here is my
> thought process how to create the patch based on the solution in
> upstream bug 1855 [1]
>
> 1. Extend the blacklist. [2]
> 2. Instead of creating a new method validateSubType, I copied the fix
> into checkIllegalTypes in BeanDeserializerFactory again.[3] The behavior
> remains the same. This code catches some specific cases for the spring
> framework.
> 3. I also applied the regression fix in [4] (also mentioned in bug 1855)
> 4. I believe that [5] only applies to the refactored code and since we
> don't use that it is irrelevant for us.
Hi Markus,
thanks a lot for patches. I've reviewed them, and your approach is
sound: please upload.
Cheers,
--Seb
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20180211/87045e86/attachment.sig>
More information about the pkg-java-maintainers
mailing list