[Git][java-team/jackson-databind][stretch] Import Debian changes 2.8.6-1+deb9u6
Markus Koschany
gitlab at salsa.debian.org
Thu Jul 9 15:28:01 BST 2020
Markus Koschany pushed to branch stretch at Debian Java Maintainers / jackson-databind
Commits:
b7ef4f68 by Markus Koschany at 2020-07-09T16:27:22+02:00
Import Debian changes 2.8.6-1+deb9u6
jackson-databind (2.8.6-1+deb9u6) stretch-security; urgency=high
..
* Fix CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, CVE-2019-14439,
CVE-2019-14540, CVE-2019-16335, CVE-2019-16942 and CVE-2019-16943.
Several deserialization flaws were discovered in jackson-databind which
could allow an unauthenticated user to perform code execution. The issue
was resolved by extending the blacklist and blocking more classes from
polymorphic deserialization.
- - - - -
3 changed files:
- debian/changelog
- + debian/patches/polymorphic-typing-issues.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,14 @@
+jackson-databind (2.8.6-1+deb9u6) stretch-security; urgency=high
+
+ * Fix CVE-2019-12384, CVE-2019-12814, CVE-2019-14379, CVE-2019-14439,
+ CVE-2019-14540, CVE-2019-16335, CVE-2019-16942 and CVE-2019-16943.
+ Several deserialization flaws were discovered in jackson-databind which
+ could allow an unauthenticated user to perform code execution. The issue
+ was resolved by extending the blacklist and blocking more classes from
+ polymorphic deserialization.
+
+ -- Markus Koschany <apo at debian.org> Sat, 05 Oct 2019 19:21:48 +0200
+
jackson-databind (2.8.6-1+deb9u5) stretch-security; urgency=high
* Team upload.
=====================================
debian/patches/polymorphic-typing-issues.patch
=====================================
@@ -0,0 +1,54 @@
+From: Markus Koschany <apo at debian.org>
+Date: Sat, 5 Oct 2019 19:15:03 +0200
+Subject: polymorphic typing issues
+
+This is the fix for CVE-2019-12384, CVE-2019-12814, CVE-2019-14379,
+CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943
+---
+ .../databind/deser/BeanDeserializerFactory.java | 33 ++++++++++++++++++++++
+ 1 file changed, 33 insertions(+)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+index c22653a..77d426c 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
++++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+@@ -103,6 +103,39 @@ public class BeanDeserializerFactory
+ // [databind#2326] (2.9.9): one more 3rd party gadget
+ s.add("com.mysql.cj.jdbc.admin.MiniAdmin");
+
++ // [databind#2334]: logback-core
++ s.add("ch.qos.logback.core.db.DriverManagerConnectionSource");
++
++ // [databind#2341]: jdom/jdom2
++ s.add("org.jdom.transform.XSLTransformer");
++ s.add("org.jdom2.transform.XSLTransformer");
++
++ // [databind#2387]: EHCache
++ s.add("net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup");
++
++ // [databind#2389]: logback/jndi
++ s.add("ch.qos.logback.core.db.JNDIConnectionSource");
++
++ // [databind#2410]: HikariCP/metricRegistry config
++ s.add("com.zaxxer.hikari.HikariConfig");
++
++ // [databind#2449]: and sub-class thereof
++ s.add("com.zaxxer.hikari.HikariDataSource");
++
++ // [databind#2420]: CXF/JAX-RS provider/XSLT
++ s.add("org.apache.cxf.jaxrs.provider.XSLTJaxbProvider");
++
++ // [databind#2462]: commons-configuration / -2
++ s.add("org.apache.commons.configuration.JNDIConfiguration");
++ s.add("org.apache.commons.configuration2.JNDIConfiguration");
++
++ // [databind#2469]: xalan2
++ s.add("org.apache.xalan.lib.sql.JNDIConnectionPool");
++
++ // [databind#2478]: comons-dbcp, p6spy
++ s.add("org.apache.commons.dbcp.datasources.SharedPoolDataSource");
++ s.add("com.p6spy.engine.spy.P6DataSource");
++
+ DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+ }
+
=====================================
debian/patches/series
=====================================
@@ -10,3 +10,4 @@ CVE-2018-12022.patch
CVE-2018-14718.patch
CVE-2018-19360.patch
CVE-2019-12086.patch
+polymorphic-typing-issues.patch
View it on GitLab: https://salsa.debian.org/java-team/jackson-databind/-/commit/b7ef4f68e1e14e5df5bc06e39ccb4fef7ee9354a
--
View it on GitLab: https://salsa.debian.org/java-team/jackson-databind/-/commit/b7ef4f68e1e14e5df5bc06e39ccb4fef7ee9354a
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20200709/bfac3d2c/attachment.html>
More information about the pkg-java-commits
mailing list