[Git][security-tracker-team/security-tracker][master] more jackson-databind fixes

[Moritz Muehlenhoff]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
8a48bd3e by Moritz Muehlenhoff at 2021-01-18T17:20:59+01:00
more jackson-databind fixes

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -5382,54 +5382,61 @@ CVE-2020-36186 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the in
 	NOTE: but still an issue when Default Typing is enabled.
 	NOTE: https://github.com/FasterXML/jackson-databind/commit/3e8fa3beea49ea62109df9e643c9cb678dabdde1
 CVE-2020-36185 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...)
-	- jackson-databind <unfixed>
+	- jackson-databind 2.12.1-1
 	[buster] - jackson-databind <no-dsa> (Minor issue)
 	[stretch] - jackson-databind <no-dsa> (Minor issue)
 	NOTE: https://github.com/FasterXML/jackson-databind/issues/2998
 	NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
 	NOTE: but still an issue when Default Typing is enabled.
+	NOTE: https://github.com/FasterXML/jackson-databind/commit/567194c53ae91f0a14dc27239afb739b1c10448a
 CVE-2020-36184 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...)
-	- jackson-databind <unfixed>
+	- jackson-databind 2.12.1-1
 	[buster] - jackson-databind <no-dsa> (Minor issue)
 	[stretch] - jackson-databind <no-dsa> (Minor issue)
 	NOTE: https://github.com/FasterXML/jackson-databind/issues/2998
 	NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
 	NOTE: but still an issue when Default Typing is enabled.
+	NOTE: https://github.com/FasterXML/jackson-databind/commit/567194c53ae91f0a14dc27239afb739b1c10448a
 CVE-2020-36183 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...)
-	- jackson-databind <unfixed>
+	- jackson-databind 2.12.1-1
 	[buster] - jackson-databind <no-dsa> (Minor issue)
 	[stretch] - jackson-databind <no-dsa> (Minor issue)
 	NOTE: https://github.com/FasterXML/jackson-databind/issues/3003
 	NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
 	NOTE: but still an issue when Default Typing is enabled.
+	NOTE: https://github.com/FasterXML/jackson-databind/commit/1cddeaf9524e903d08a91fdd9f3dde46d2a68536
 CVE-2020-36182 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...)
-	- jackson-databind <unfixed>
+	- jackson-databind 2.12.1-1
 	[buster] - jackson-databind <no-dsa> (Minor issue)
 	[stretch] - jackson-databind <no-dsa> (Minor issue)
 	NOTE: https://github.com/FasterXML/jackson-databind/issues/3004
 	NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
 	NOTE: but still an issue when Default Typing is enabled.
+	NOTE: https://github.com/FasterXML/jackson-databind/commit/3ded28aece694d0df39c9f0fa1ff385b14a8656b
 CVE-2020-36181 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...)
-	- jackson-databind <unfixed>
+	- jackson-databind 2.12.1-1
 	[buster] - jackson-databind <no-dsa> (Minor issue)
 	[stretch] - jackson-databind <no-dsa> (Minor issue)
 	NOTE: https://github.com/FasterXML/jackson-databind/issues/3004
 	NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
 	NOTE: but still an issue when Default Typing is enabled.
+	NOTE: https://github.com/FasterXML/jackson-databind/commit/3ded28aece694d0df39c9f0fa1ff385b14a8656b
 CVE-2020-36180 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...)
-	- jackson-databind <unfixed>
+	- jackson-databind 2.12.1-1
 	[buster] - jackson-databind <no-dsa> (Minor issue)
 	[stretch] - jackson-databind <no-dsa> (Minor issue)
 	NOTE: https://github.com/FasterXML/jackson-databind/issues/3004
 	NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
 	NOTE: but still an issue when Default Typing is enabled.
+	NOTE: https://github.com/FasterXML/jackson-databind/commit/3ded28aece694d0df39c9f0fa1ff385b14a8656b
 CVE-2020-36179 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...)
-	- jackson-databind <unfixed>
+	- jackson-databind 2.12.1-1
 	[buster] - jackson-databind <no-dsa> (Minor issue)
 	[stretch] - jackson-databind <no-dsa> (Minor issue)
 	NOTE: https://github.com/FasterXML/jackson-databind/issues/3004
 	NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
 	NOTE: but still an issue when Default Typing is enabled.
+	NOTE: https://github.com/FasterXML/jackson-databind/commit/3ded28aece694d0df39c9f0fa1ff385b14a8656b
 CVE-2020-36178 (oal_ipt_addBridgeIsolationRules on TP-Link TL-WR840N 6_EU_0.9.1_4.16 d ...)
 	NOT-FOR-US: TP-Link
 CVE-2021-3029 (** UNSUPPORTED WHEN ASSIGNED ** EVOLUCARE ECSIMAGING (aka ECS Imaging) ...)
@@ -9008,12 +9015,13 @@ CVE-2020-35730 (An XSS issue was discovered in Roundcube Webmail before 1.2.13,
 CVE-2020-35729 (KLog Server 2.4.1 allows OS command injection via shell metacharacters ...)
 	NOT-FOR-US: KLog Server
 CVE-2020-35728 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...)
-	- jackson-databind <unfixed>
+	- jackson-databind 2.12.1-1
 	[buster] - jackson-databind <no-dsa> (Minor issue)
 	[stretch] - jackson-databind <no-dsa> (Minor issue)
 	NOTE: https://github.com/FasterXML/jackson-databind/issues/2999
 	NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
 	NOTE: but still an issue when Default Typing is enabled.
+	NOTE: https://github.com/FasterXML/jackson-databind/commit/1ca0388c2fb37ac6a06f1c188ae89c41e3e15e84
 CVE-2020-35727 (** UNSUPPORTED WHEN ASSIGNED ** Reflected XSS in Quest Policy Authorit ...)
 	NOT-FOR-US: Quest Policy Authority
 CVE-2020-35726 (** UNSUPPORTED WHEN ASSIGNED ** Reflected XSS in Quest Policy Authorit ...)
@@ -12374,19 +12382,21 @@ CVE-2020-35492 [cairo: libreoffice slideshow aborts with stack smashing in cairo
 	NOTE: Additional meson support (test): https://gitlab.freedesktop.org/cairo/cairo/-/commit/0677e0a94968447e132c69f58cb04e5377e0c828
 	NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1898396
 CVE-2020-35491 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...)
-	- jackson-databind <unfixed>
+	- jackson-databind 2.12.1-1
 	[buster] - jackson-databind <no-dsa> (Minor issue)
 	[stretch] - jackson-databind <no-dsa> (Minor issue)
 	NOTE: https://github.com/FasterXML/jackson-databind/issues/2986
 	NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
 	NOTE: but still an issue when Default Typing is enabled.
+	NOTE: https://github.com/FasterXML/jackson-databind/commit/41b8bdb5ccc1d8edb71acf1c8234da235a24249d
 CVE-2020-35490 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...)
-	- jackson-databind <unfixed>
+	- jackson-databind 2.12.1-1
 	[buster] - jackson-databind <no-dsa> (Minor issue)
 	[stretch] - jackson-databind <no-dsa> (Minor issue)
 	NOTE: https://github.com/FasterXML/jackson-databind/issues/2986
 	NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
 	NOTE: but still an issue when Default Typing is enabled.
+	NOTE: https://github.com/FasterXML/jackson-databind/commit/41b8bdb5ccc1d8edb71acf1c8234da235a24249d
 CVE-2020-35489 (The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPr ...)
 	NOT-FOR-US: contact-form-7 (aka Contact Form 7) plugin for WordPress
 CVE-2021-20065
@@ -29866,12 +29876,13 @@ CVE-2020-24752
 CVE-2020-24751
 	RESERVED
 CVE-2020-24750 (FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interact ...)
-	- jackson-databind <unfixed>
+	- jackson-databind 2.12.1-1
 	[buster] - jackson-databind <no-dsa> (Minor issue)
 	[stretch] - jackson-databind <no-dsa> (Minor issue)
 	NOTE: https://github.com/FasterXML/jackson-databind/issues/2798
 	NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
 	NOTE: but still an issue when Default Typing is enabled.
+	NOTE: https://github.com/FasterXML/jackson-databind/commit/6cc9f1a1af323cd156f5668a47e43bab324ae16f
 CVE-2020-24749
 	RESERVED
 CVE-2020-24748
@@ -30160,12 +30171,13 @@ CVE-2020-24618 (In JetBrains YouTrack versions before 2020.3.4313, 2020.2.11008,
 CVE-2020-24617
 	RESERVED
 CVE-2020-24616 (FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interact ...)
-	- jackson-databind <unfixed>
+	- jackson-databind 2.12.1-1
 	[buster] - jackson-databind <no-dsa> (Minor issue)
 	[stretch] - jackson-databind <no-dsa> (Minor issue)
 	NOTE: https://github.com/FasterXML/jackson-databind/issues/2814
 	NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
 	NOTE: but still an issue when Default Typing is enabled.
+	NOTE: https://github.com/FasterXML/jackson-databind/commit/3d97153944f7de9c19c1b3637b33d3cf1fbbe4d7
 CVE-2020-24615 (Pexip Infinity before 24.1 has Improper Input Validation, leading to t ...)
 	NOT-FOR-US: Pexip Infinity
 CVE-2020-24613 (wolfSSL before 4.5.0 mishandles TLS 1.3 server data in the WAIT_CERT_C ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a48bd3eada094e566d01bb77df5ca523d245c9b

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/8a48bd3eada094e566d01bb77df5ca523d245c9b
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20210118/94f2e672/attachment.html>