Bug#941530: jackson-databind: CVE-2019-16942 CVE-2019-16943

[Salvatore Bonaccorso]

Hi Markus,

On Tue, Oct 01, 2019 at 10:46:16PM +0200, Markus Koschany wrote:
> Hi Salvatore,
> 
> Am 01.10.19 um 22:34 schrieb Salvatore Bonaccorso:
> > Source: jackson-databind
> > Version: 2.10.0-1
> > Severity: grave
> > Tags: security upstream
> > Justification: user security hole
> > Forwarded: https://github.com/FasterXML/jackson-databind/issues/2478
> > Control: found -1 2.9.8-3
> > Control: found -1 2.8.6-1+deb9u5
> > Control: found -1 2.8.6-1
> > 
> > Hi,
> > 
> > Tony, Markus, As it was already expected ;-). Upstream, whilst it
> > affects as well 2.10.0, seemigly is not considering doing an update
> > for 2.10 specifically but have fixed this one as well for older
> > versions. Previous point, that this is just going to start to be silly
> > upholds.
> > 
> > That said, let's follow with the usual information:
> > 
> > The following vulnerabilities were published for jackson-databind.
> [...]
> 
> First of all, thank you very much for taking care of reporting these issues.
> 
> Please let me know if you think this is a DSA-worthy issue. Otherwise I
> will just ask the release team for an update. Personally I believe we
> can treat that as an important issue from now on.

Whilst I'm not yet sure if we should really release a futher DSA for
jackson-databind (we will come back to you on that), a possible idea
for bullseye (might be better cloned/filled as new bug, but want to
mention it here already):

https://bugzilla.redhat.com/show_bug.cgi?id=1731271

Red Hat recently had fixed a CVE for codehaus. The approach they took
there was to rather continuing on jackson-databind side (that is my
interpretation), they started a whitelist approach on the applications
side which use jackson-databind.

This might be something to consider for bullseye as well for the
reverse dependencies. Not sure if this is feasible in our case, but
this might be worth investigating.

Regards,
Salvatore