Bug#888318: jackson-databind: CVE-2017-17485

Salvatore Bonaccorso carnil at debian.org
Wed Jan 24 22:14:29 UTC 2018


On Wed, Jan 24, 2018 at 11:11:13PM +0100, Salvatore Bonaccorso wrote:
> Source: jackson-databind
> Version: 2.9.1-1
> Severity: grave
> Tags: security upstream
> Forwarded: https://github.com/FasterXML/jackson-databind/issues/1855
> 
> Hi,
> 
> the following vulnerability was published for jackson-databind.
> 
> CVE-2017-17485[0]:
> | FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3
> | allows unauthenticated remote code execution because of an incomplete
> | fix for the CVE-2017-7525 deserialization flaw. This is exploitable by
> | sending maliciously crafted JSON input to the readValue method of the
> | ObjectMapper, bypassing a blacklist that is ineffective if the Spring
> | libraries are available in the classpath.
> 
> Please note in the security-tracker we initially marked this issue as
> not-affected, since Red Hat claimed in [2] that it was a incomplete
> fix specific to some Red Hat packages.
> Could you double-check this and in case this bug was wronly open
> report back? But it looks that the corresponding changes would as well
> be missing from the Debian package.

>From a quick skimm over the applied patches in stable I would say we
missed those as well. 

Regards,
Salvatore



More information about the pkg-java-maintainers mailing list