[Secure-testing-commits] r57228 - data/CVE
Salvatore Bonaccorso
carnil at moszumanska.debian.org
Thu Nov 2 06:59:16 UTC 2017
Author: carnil
Date: 2017-11-02 06:59:16 +0000 (Thu, 02 Nov 2017)
New Revision: 57228
Modified:
data/CVE/list
Log:
Add CVE-2017-15095 (incomplete fixes for jackson-databind)
Modified: data/CVE/list
===================================================================
--- data/CVE/list 2017-11-02 06:50:04 UTC (rev 57227)
+++ data/CVE/list 2017-11-02 06:59:16 UTC (rev 57228)
@@ -3618,8 +3618,20 @@
NOTE: https://review.gluster.org/18539 (release-3.10)
NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1502928
NOTE: Fixed by: http://git.gluster.org/cgit/glusterfs.git/commit/?id=1f48d17fee0cac95648ec34d13f038b27ef5c6ac
-CVE-2017-15095
+CVE-2017-15095 [Incomplete fixes for CVE-2017-7525]
RESERVED
+ - jackson-databind 2.9.1-1
+ NOTE: The Debian upload for stretch (2.8.6-1+deb9u1) and jessie (2.8.6-1+deb8u1)
+ NOTE: misses the further sets of blacklists, in particular as well
+ NOTE: https://github.com/FasterXML/jackson-databind/commit/3bfbb835
+ NOTE: which was already for CVE-2017-7525 but then the further tickets and patches
+ NOTE: to block more dangerous types (at leas they are):
+ NOTE: https://github.com/FasterXML/jackson-databind/issues/1680
+ NOTE: https://github.com/FasterXML/jackson-databind/issues/1723
+ NOTE: https://github.com/FasterXML/jackson-databind/issues/1737
+ NOTE: https://github.com/FasterXML/jackson-databind/commit/e8f043d1
+ NOTE: https://github.com/FasterXML/jackson-databind/commit/ddfddfba
+ NOTE: Details: http://www.openwall.com/lists/oss-security/2017/11/02/3
CVE-2017-15094
RESERVED
CVE-2017-15093
More information about the Secure-testing-commits
mailing list