[Git][java-team/jackson-databind][jessie] 2 commits: Import Debian changes 2.4.2-2+deb8u8
Markus Koschany
gitlab at salsa.debian.org
Sat Oct 5 17:52:01 BST 2019
Markus Koschany pushed to branch jessie at Debian Java Maintainers / jackson-databind
Commits:
16013628 by Roberto C. Sanchez at 2019-10-05T16:50:17Z
Import Debian changes 2.4.2-2+deb8u8
jackson-databind (2.4.2-2+deb8u8) jessie-security; urgency=high
* Non-maintainer upload by the LTS team.
* Fix CVE-2019-14379, CVE-2019-14439:
Deserialization flaws were discovered in jackson-databind relating to
EHCache and logback/jndi, which could allow an unauthenticated user to
perform remote code execution. The issue was resolved by extending the
blacklist and blocking more classes from polymorphic deserialization.
(Closes: #933393)
- - - - -
a64fd489 by Markus Koschany at 2019-10-05T16:51:41Z
Import Debian changes 2.4.2-2+deb8u9
jackson-databind (2.4.2-2+deb8u9) jessie-security; urgency=high
* Non-maintainer upload by the LTS team.
* Fix CVE-2019-14540, CVE-2019-16335, CVE-2019-16942 and CVE-2019-16943.
Deserialization flaws were discovered in jackson-databind relating to
com.zaxxer.hikari.HikariConfig, com.zaxxer.hikari.HikariDataSource,
commons-dbcp and com.p6spy.engine.spy.P6DataSource, which could allow an
unauthenticated user to perform remote code execution. The issue was
resolved by extending the blacklist and blocking more classes from
polymorphic deserialization.
- - - - -
7 changed files:
- debian/changelog
- + debian/patches/CVE-2019-14379_CVE-2019-14439.patch
- + debian/patches/CVE-2019-14540.patch
- + debian/patches/CVE-2019-16335.patch
- + debian/patches/CVE-2019-16942-and-CVE-2019-16943.patch
- + debian/patches/More-Polymorhpic-Typing-issue-fixes.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,28 @@
+jackson-databind (2.4.2-2+deb8u9) jessie-security; urgency=high
+
+ * Non-maintainer upload by the LTS team.
+ * Fix CVE-2019-14540, CVE-2019-16335, CVE-2019-16942 and CVE-2019-16943.
+ Deserialization flaws were discovered in jackson-databind relating to
+ com.zaxxer.hikari.HikariConfig, com.zaxxer.hikari.HikariDataSource,
+ commons-dbcp and com.p6spy.engine.spy.P6DataSource, which could allow an
+ unauthenticated user to perform remote code execution. The issue was
+ resolved by extending the blacklist and blocking more classes from
+ polymorphic deserialization.
+
+ -- Markus Koschany <apo at debian.org> Wed, 02 Oct 2019 21:36:21 +0200
+
+jackson-databind (2.4.2-2+deb8u8) jessie-security; urgency=high
+
+ * Non-maintainer upload by the LTS team.
+ * Fix CVE-2019-14379, CVE-2019-14439:
+ Deserialization flaws were discovered in jackson-databind relating to
+ EHCache and logback/jndi, which could allow an unauthenticated user to
+ perform remote code execution. The issue was resolved by extending the
+ blacklist and blocking more classes from polymorphic deserialization.
+ (Closes: #933393)
+
+ -- Roberto C. Sanchez <roberto at debian.org> Mon, 12 Aug 2019 17:40:56 -0400
+
jackson-databind (2.4.2-2+deb8u7) jessie-security; urgency=high
* Non-maintainer upload by the LTS team.
=====================================
debian/patches/CVE-2019-14379_CVE-2019-14439.patch
=====================================
@@ -0,0 +1,28 @@
+From ad418eeb974e357f2797aef64aa0e3ffaaa6125b Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta at iki.fi>
+Date: Thu, 25 Jul 2019 21:58:11 -0700
+Subject: [PATCH] Backport #2387, #2389 fixes
+
+Bug-Debian: https://bugs.debian.org/933393
+Bug-Upstream: https://github.com/FasterXML/jackson-databind/issues/2387
+Bug-Upstream: https://github.com/FasterXML/jackson-databind/issues/2389
+Origin: https://github.com/FasterXML/jackson-databind/commit/ad418eeb974e357f2797aef64aa0e3ffaaa6125b
+---
+ .../jackson/databind/jsontype/impl/SubTypeValidator.java | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- jackson-databind.git.orig/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
++++ jackson-databind.git/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+@@ -116,6 +116,12 @@
+ s.add("org.jdom.transform.XSLTransformer");
+ s.add("org.jdom2.transform.XSLTransformer");
+
++ // [databind#2387]: EHCache
++ s.add("net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup");
++
++ // [databind#2389]: logback/jndi
++ s.add("ch.qos.logback.core.db.JNDIConnectionSource");
++
+ DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+ }
+
=====================================
debian/patches/CVE-2019-14540.patch
=====================================
@@ -0,0 +1,27 @@
+From: Markus Koschany <apo at debian.org>
+Date: Wed, 2 Oct 2019 19:28:36 +0200
+Subject: CVE-2019-14540
+
+Bug-Debian: https://bugs.debian.org/940498
+Origin: https://github.com/FasterXML/jackson-databind/commit/d4983c740fec7d5576b207a8c30a63d3ea7443de
+---
+ .../fasterxml/jackson/databind/deser/BeanDeserializerFactory.java | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+index 4e044e2..287c4ef 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
++++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+@@ -122,6 +122,12 @@ public class BeanDeserializerFactory
+ // [databind#2389]: logback/jndi
+ s.add("ch.qos.logback.core.db.JNDIConnectionSource");
+
++ // [databind#2410]: HikariCP/metricRegistry config
++ s.add("com.zaxxer.hikari.HikariConfig");
++
++ // [databind#2420]: CXF/JAX-RS provider/XSLT
++ s.add("org.apache.cxf.jaxrs.provider.XSLTJaxbProvider");
++
+ DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+ }
+
=====================================
debian/patches/CVE-2019-16335.patch
=====================================
@@ -0,0 +1,24 @@
+From: Markus Koschany <apo at debian.org>
+Date: Wed, 2 Oct 2019 19:29:45 +0200
+Subject: CVE-2019-16335
+
+Bug-Debian: https://bugs.debian.org/940498
+Origin: https://github.com/FasterXML/jackson-databind/commit/73c1c2cc76e6cdd7f3a5615cbe3207fe96e4d3db
+---
+ .../com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+index 287c4ef..4bc0cc7 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
++++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+@@ -125,6 +125,9 @@ public class BeanDeserializerFactory
+ // [databind#2410]: HikariCP/metricRegistry config
+ s.add("com.zaxxer.hikari.HikariConfig");
+
++ // [databind#2449]: and sub-class thereof
++ s.add("com.zaxxer.hikari.HikariDataSource");
++
+ // [databind#2420]: CXF/JAX-RS provider/XSLT
+ s.add("org.apache.cxf.jaxrs.provider.XSLTJaxbProvider");
+
=====================================
debian/patches/CVE-2019-16942-and-CVE-2019-16943.patch
=====================================
@@ -0,0 +1,25 @@
+From: Markus Koschany <apo at debian.org>
+Date: Wed, 2 Oct 2019 19:38:13 +0200
+Subject: CVE-2019-16942 and CVE-2019-16943
+
+Bug-Debian: https://bugs.debian.org/941530
+Origin: https://github.com/FasterXML/jackson-databind/commit/9593e16cf5a3d289a9c584f7123639655de9ddac
+---
+ .../com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+index 4bc0cc7..57cc035 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
++++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+@@ -131,6 +131,10 @@ public class BeanDeserializerFactory
+ // [databind#2420]: CXF/JAX-RS provider/XSLT
+ s.add("org.apache.cxf.jaxrs.provider.XSLTJaxbProvider");
+
++ // [databind#2478]: comons-dbcp, p6spy
++ s.add("org.apache.commons.dbcp.datasources.SharedPoolDataSource");
++ s.add("com.p6spy.engine.spy.P6DataSource");
++
+ DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+ }
+
=====================================
debian/patches/More-Polymorhpic-Typing-issue-fixes.patch
=====================================
@@ -0,0 +1,27 @@
+From: Markus Koschany <apo at debian.org>
+Date: Wed, 2 Oct 2019 19:38:53 +0200
+Subject: More Polymorhpic-Typing issue fixes
+
+CVE not yet assigned
+---
+ .../fasterxml/jackson/databind/deser/BeanDeserializerFactory.java | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+index 57cc035..39a8ee4 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
++++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+@@ -131,6 +131,13 @@ public class BeanDeserializerFactory
+ // [databind#2420]: CXF/JAX-RS provider/XSLT
+ s.add("org.apache.cxf.jaxrs.provider.XSLTJaxbProvider");
+
++ // [databind#2462]: commons-configuration / -2
++ s.add("org.apache.commons.configuration.JNDIConfiguration");
++ s.add("org.apache.commons.configuration2.JNDIConfiguration");
++
++ // [databind#2469]: xalan2
++ s.add("org.apache.xalan.lib.sql.JNDIConnectionPool");
++
+ // [databind#2478]: comons-dbcp, p6spy
+ s.add("org.apache.commons.dbcp.datasources.SharedPoolDataSource");
+ s.add("com.p6spy.engine.spy.P6DataSource");
=====================================
debian/patches/series
=====================================
@@ -13,3 +13,8 @@ CVE-2018-19360.patch
CVE-2019-12086.patch
CVE-2019-12384.patch
CVE-2019-12814.patch
+CVE-2019-14379_CVE-2019-14439.patch
+CVE-2019-14540.patch
+CVE-2019-16335.patch
+CVE-2019-16942-and-CVE-2019-16943.patch
+More-Polymorhpic-Typing-issue-fixes.patch
View it on GitLab: https://salsa.debian.org/java-team/jackson-databind/compare/49053a29c26056c7d323f2aff096502e92f79406...a64fd489746621272a4c9bbd2f969a4f73fd242b
--
View it on GitLab: https://salsa.debian.org/java-team/jackson-databind/compare/49053a29c26056c7d323f2aff096502e92f79406...a64fd489746621272a4c9bbd2f969a4f73fd242b
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20191005/20675aaa/attachment.html>
More information about the pkg-java-commits
mailing list