[Git][security-tracker-team/security-tracker][master] Reserve DLA-3207-1 for jackson-databind
Markus Koschany (@apo)
apo at debian.org
Sun Nov 27 18:50:24 GMT 2022
Markus Koschany pushed to branch master at Debian Security Tracker / security-tracker
Commits:
ce7864de by Markus Koschany at 2022-11-27T19:50:08+01:00
Reserve DLA-3207-1 for jackson-databind
- - - - -
3 changed files:
- data/CVE/list
- data/DLA/list
- data/dla-needed.txt
Changes:
=====================================
data/CVE/list
=====================================
@@ -55199,7 +55199,6 @@ CVE-2021-46708 (The swagger-ui-dist package before 4.1.3 for Node.js could allow
CVE-2020-36518 (jackson-databind before 2.13.0 allows a Java StackOverflow exception a ...)
{DSA-5283-1 DLA-2990-1}
- jackson-databind 2.13.2.2-1 (bug #1007109)
- [buster] - jackson-databind <no-dsa> (Minor issue)
NOTE: https://github.com/FasterXML/jackson-databind/issues/2816
CVE-2018-25031 (Swagger UI before 4.1.3 could allow a remote attacker to conduct spoof ...)
- node-swagger-ui <itp> (bug #871461)
=====================================
data/DLA/list
=====================================
@@ -1,3 +1,6 @@
+[27 Nov 2022] DLA-3207-1 jackson-databind - security update
+ {CVE-2020-36518 CVE-2022-42003 CVE-2022-42004}
+ [buster] - jackson-databind 2.9.8-3+deb10u4
[26 Nov 2022] DLA-3206-1 heimdal - security update
{CVE-2019-14870 CVE-2021-3671 CVE-2021-44758 CVE-2022-3437 CVE-2022-41916 CVE-2022-42898 CVE-2022-44640}
[buster] - heimdal 7.5.0+dfsg-3+deb10u1
=====================================
data/dla-needed.txt
=====================================
@@ -93,9 +93,6 @@ ini4j
NOTE: 20221012: Programming language: Java.
NOTE: 20221012: Require investigation (lamby)
--
-jackson-databind (Markus Koschany)
- NOTE: 20221030: Programming language: Java.
---
jhead
NOTE: 20221031: Programming language: C.
NOTE: 20221031: Note that multiple options are vulnerable. The attacker have to trick someone to execute the command but arbitrary code exectuion is not good..
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce7864debc3bf998f83a9cf99927a672c729d72a
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/ce7864debc3bf998f83a9cf99927a672c729d72a
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20221127/0c01d401/attachment.htm>
More information about the debian-security-tracker-commits
mailing list