Salvatore Bonaccorso
2018-01-24 22:11:13 UTC
Source: jackson-databind
Version: 2.9.1-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/FasterXML/jackson-databind/issues/1855
Hi,
the following vulnerability was published for jackson-databind.
CVE-2017-17485[0]:
| FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3
| allows unauthenticated remote code execution because of an incomplete
| fix for the CVE-2017-7525 deserialization flaw. This is exploitable by
| sending maliciously crafted JSON input to the readValue method of the
| ObjectMapper, bypassing a blacklist that is ineffective if the Spring
| libraries are available in the classpath.
Please note in the security-tracker we initially marked this issue as
not-affected, since Red Hat claimed in [2] that it was a incomplete
fix specific to some Red Hat packages.
Could you double-check this and in case this bug was wronly open
report back? But it looks that the corresponding changes would as well
be missing from the Debian package.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-17485
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17485
[1] https://github.com/FasterXML/jackson-databind/issues/1855
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1528565#c0
Please adjust the affected versions in the BTS as needed, in
particular no check for stable and oldstable has been done yet.
Regards,
Salvatore
__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use
debian-***@lists.debian.org for discussions and questions.
Version: 2.9.1-1
Severity: grave
Tags: security upstream
Forwarded: https://github.com/FasterXML/jackson-databind/issues/1855
Hi,
the following vulnerability was published for jackson-databind.
CVE-2017-17485[0]:
| FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3
| allows unauthenticated remote code execution because of an incomplete
| fix for the CVE-2017-7525 deserialization flaw. This is exploitable by
| sending maliciously crafted JSON input to the readValue method of the
| ObjectMapper, bypassing a blacklist that is ineffective if the Spring
| libraries are available in the classpath.
Please note in the security-tracker we initially marked this issue as
not-affected, since Red Hat claimed in [2] that it was a incomplete
fix specific to some Red Hat packages.
Could you double-check this and in case this bug was wronly open
report back? But it looks that the corresponding changes would as well
be missing from the Debian package.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-17485
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17485
[1] https://github.com/FasterXML/jackson-databind/issues/1855
[2] https://bugzilla.redhat.com/show_bug.cgi?id=1528565#c0
Please adjust the affected versions in the BTS as needed, in
particular no check for stable and oldstable has been done yet.
Regards,
Salvatore
__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use
debian-***@lists.debian.org for discussions and questions.