[Git][security-tracker-team/security-tracker][master] 2 commits: Add CVE-2020-1067{2,3}/jackson-databind

Salvatore Bonaccorso carnil at debian.org
Fri Mar 20 09:24:00 GMT 2020 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
fbde321e by Salvatore Bonaccorso at 2020-03-20T10:21:23+01:00
Add CVE-2020-1067{2,3}/jackson-databind

Again, the isussue is mitigated in the 2.10 branches, but will be fixed
source wise there as well once merged the fixed in the aprorpiate
brnaches upstream. The issue is mitigated as Safe Default Typing is enabled by
default.

- - - - -
d1e92dcc by Salvatore Bonaccorso at 2020-03-20T10:23:31+01:00
Fix wording in NOTE

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -17,9 +17,15 @@ CVE-2020-10676
 CVE-2020-10675 (The Library API in buger jsonparser through 2019-12-04 allows attacker ...)
 	TODO: check
 CVE-2020-10673 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...)
-	TODO: check
+	- jackson-databind <unfixed>
+	NOTE: https://github.com/FasterXML/jackson-databind/issues/2660
+	NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
+	NOTE: but still an issue when Default Typing is enabled.
 CVE-2020-10672 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...)
-	TODO: check
+	- jackson-databind <unfixed>
+	NOTE: https://github.com/FasterXML/jackson-databind/issues/2659
+	NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
+	NOTE: but still an issue when Default Typing is enabled.
 CVE-2020-10671 (The Canon Oce Colorwave 500 4.0.0.0 printer's web application is missi ...)
 	NOT-FOR-US: Canon
 CVE-2020-10670 (The web application exposed by the Canon Oce Colorwave 500 4.0.0.0 pri ...)
@@ -2483,19 +2489,19 @@ CVE-2020-9548 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the int
 	{DLA-2135-1}
 	- jackson-databind <unfixed>
 	NOTE: https://github.com/FasterXML/jackson-databind/issues/2634
-	NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by
+	NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
 	NOTE: but still an issue when Default Typing is enabled.
 CVE-2020-9547 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...)
 	{DLA-2135-1}
 	- jackson-databind <unfixed>
 	NOTE: https://github.com/FasterXML/jackson-databind/issues/2634
-	NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by
+	NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
 	NOTE: but still an issue when Default Typing is enabled.
 CVE-2020-9546 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...)
 	{DLA-2135-1}
 	- jackson-databind <unfixed>
 	NOTE: https://github.com/FasterXML/jackson-databind/issues/2631
-	NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by
+	NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
 	NOTE: but still an issue when Default Typing is enabled.
 CVE-2020-9545 (Pale Moon 28.x before 28.8.4 has a segmentation fault related to modul ...)
 	NOT-FOR-US: Pale Moon
@@ -4147,7 +4153,7 @@ CVE-2020-8840 (FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain x
 	- jackson-databind <unfixed>
 	NOTE: https://github.com/FasterXML/jackson-databind/issues/2620
 	NOTE: https://github.com/FasterXML/jackson-databind/commit/914e7c9f2cb8ce66724bf26a72adc7e958992497
-	NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by
+	NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
 	NOTE: but still an issue when Default Typing is enabled.
 CVE-2020-8839 (Stored XSS was discovered on CHIYU BF-430 232/485 TCP/IP Converter dev ...)
 	NOT-FOR-US: CHIYU BF-430 232/485 TCP/IP Converter devices
@@ -30411,7 +30417,7 @@ CVE-2019-17531 (A Polymorphic Typing issue was discovered in FasterXML jackson-d
 	- jackson-databind 2.10.1-1
 	NOTE: https://github.com/FasterXML/jackson-databind/issues/2498
 	NOTE: https://github.com/FasterXML/jackson-databind/commit/b5a304a98590b6bb766134f9261e6566dcbbb6d0
-	NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by
+	NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
 	NOTE: but still an issue when Default Typing is enabled.
 CVE-2019-17530 (An issue was discovered in Bento4 1.5.1.0. There is a heap-based buffe ...)
 	NOT-FOR-US: Bento4



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/eae400f38105df0e98582ba225657c5890be5833...d1e92dcc9447e8da9e722ad440e9d4c4035ee726

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/eae400f38105df0e98582ba225657c5890be5833...d1e92dcc9447e8da9e722ad440e9d4c4035ee726
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20200320/21cf47df/attachment.html>

More information about the debian-security-tracker-commits mailing list