Bug#980816: Clarify requirement for safe default typing?
Markus Koschany
apo at debian.org
Fri Jan 22 20:19:48 GMT 2021
Hi Moritz,
Am Freitag, den 22.01.2021, 21:03 +0100 schrieb Moritz Muehlenhoff:
> Source: jackson-databind
> Severity: important
> X-Debbugs-Cc: carnil at debian.org, apo at debian.org
>
> Starting with 2.10 (and thus in Bullseye) upstream makes safe default
> typing required, the absense is no longer considered a security issue,
> see e.g. here:
>
> https://github.com/FasterXML/jackson-databind/issues/2798
> > Not considered valid CVE for Jackson 2.10.0 and later (see
> > https://medium.com/@cowtowncoder/jackson-2-10-safe-default-typing-2d018f0ce2ba)
>
> I'm wondering how to best convey this, maybe via a NEWS entry or
> simply accept is as given?
I believe starting with 2.10 this is no longer security relevant because
developers are required "to specify validator of type PolymorphicTypeValidator
that will determine if deserialization of given class name is (or is not)
allowed." (quote from the second link, the official announcement by upstream)
That means a developer of a dependency of jackson-databind is still allowed to
shoot oneself in the foot but you can't blame jackson-databind for it anymore.
So beginning with 2.10 I would simply ignore similar issues in the security
tracker.
Regards,
Markus
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 963 bytes
Desc: This is a digitally signed message part
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20210122/e933f322/attachment.sig>
More information about the pkg-java-maintainers
mailing list