Bug#941530: jackson-databind: CVE-2019-16942 CVE-2019-16943
Markus Koschany
apo at debian.org
Thu Oct 3 14:53:37 BST 2019
Control: clone 941530 -1
Control: retitle -1 jackson-databind: consider using a whitelist
Control: severity -1 wishlist
Hi,
Am 02.10.19 um 09:43 schrieb Salvatore Bonaccorso:
[...]
> Whilst I'm not yet sure if we should really release a futher DSA for
> jackson-databind (we will come back to you on that), a possible idea
> for bullseye (might be better cloned/filled as new bug, but want to
> mention it here already):
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1731271
>
> Red Hat recently had fixed a CVE for codehaus. The approach they took
> there was to rather continuing on jackson-databind side (that is my
> interpretation), they started a whitelist approach on the applications
> side which use jackson-databind.
>
> This might be something to consider for bullseye as well for the
> reverse dependencies. Not sure if this is feasible in our case, but
> this might be worth investigating.
Good idea. Let's investigate this solution. I will track that in another
bug report.
Regards,
Markus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: OpenPGP digital signature
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20191003/2db63947/attachment.sig>
More information about the pkg-java-maintainers
mailing list