[Git][security-tracker-team/security-tracker][master] Add three jackson-databind issues
Salvatore Bonaccorso
carnil at debian.org
Mon Mar 2 08:27:30 GMT 2020
Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker
Commits:
acc06707 by Salvatore Bonaccorso at 2020-03-02T09:24:50+01:00
Add three jackson-databind issues
Note those will be fixed at some point as well in the 2.10 series, but
with the default beeing safer upstream does not fix those right away in
the master branch and rather only in the older supported branches.
Likely we can mark those as no-dsa for stretch and buster as there is a
constant stream of such issues finding more gadgets to be blocked.
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -4,11 +4,20 @@ CVE-2020-9549 (In PDFResurrect 0.12 through 0.19, get_type in pdf.c has an out-o
- pdfresurrect <unfixed>
NOTE: https://github.com/enferex/pdfresurrect/issues/8
CVE-2020-9548 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...)
- TODO: check
+ - jackson-databind <unfixed>
+ NOTE: https://github.com/FasterXML/jackson-databind/issues/2634
+ NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by
+ NOTE: but still an issue when Default Typing is enabled.
CVE-2020-9547 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...)
- TODO: check
+ - jackson-databind <unfixed>
+ NOTE: https://github.com/FasterXML/jackson-databind/issues/2634
+ NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by
+ NOTE: but still an issue when Default Typing is enabled.
CVE-2020-9546 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...)
- TODO: check
+ - jackson-databind <unfixed>
+ NOTE: https://github.com/FasterXML/jackson-databind/issues/2631
+ NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by
+ NOTE: but still an issue when Default Typing is enabled.
CVE-2020-9545 (Pale Moon 28.8.x before 28.8.4 has a segmentation fault related to mod ...)
TODO: check
CVE-2020-9544
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/acc06707f7a256a6707b5ec0f8a4db50493e4481
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/acc06707f7a256a6707b5ec0f8a4db50493e4481
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200302/1e1b4ebf/attachment.html>
More information about the debian-security-tracker-commits
mailing list