Mageia alert MGASA-2018-0138 (jackson-databind)

From:
    	       Mageia Updates <buildsystem-daemon@mageia.org> 
To:
    	       updates-announce@ml.mageia.org 
Subject:
    	       [updates-announce] MGASA-2018-0138: Updated jackson-databind packages fix security vulnerability 
Date:
    	       Sun, 25 Feb 2018 00:26:07 +0100
Message-ID:
    	       <20180224232607.A5E439FD12@duvel.mageia.org>
MGASA-2018-0138 - Updated jackson-databind packages fix security vulnerability

Publication date: 24 Feb 2018
URL: https://advisories.mageia.org/MGASA-2018-0138.html
Type: security
Affected Mageia releases: 6
CVE: CVE-2017-17485,
     CVE-2018-5968

Description:
A deserialization flaw was discovered in the jackson-databind which could
allow an unauthenticated user to perform code execution by sending
maliciously crafted input to the readValue method of ObjectMapper
(CVE-2017-17485).

A flaw was found in FasterXML jackson-databind which allows unauthenticated
remote code execution due deserialization flaws. This is exploitable via
two different gadgets that bypass a blacklist (CVE-2018-5968).

References:
- https://bugs.mageia.org/show_bug.cgi?id=22569
-
https://lists.fedoraproject.org/archives/list/package-ann...
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1...
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5968

SRPMS:
- 6/core/jackson-databind-2.7.6-1.3.mga6

From:		Mageia Updates <buildsystem-daemon@mageia.org>
To:		updates-announce@ml.mageia.org
Subject:		[updates-announce] MGASA-2018-0138: Updated jackson-databind packages fix security vulnerability
Date:		Sun, 25 Feb 2018 00:26:07 +0100
Message-ID:		<20180224232607.A5E439FD12@duvel.mageia.org>