Debian alert DLA-1831-1 (jackson-databind)
| From: | Markus Koschany <apo@debian.org> | |
| To: | debian-lts-announce@lists.debian.org | |
| Subject: | [SECURITY] [DLA 1831-1] jackson-databind security update | |
| Date: | Fri, 21 Jun 2019 17:09:36 +0200 | |
| Message-ID: | <1dc2282f-a7aa-3af5-6e34-f2cbc537032d@debian.org> |
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : jackson-databind Version : 2.4.2-2+deb8u7 CVE ID : CVE-2019-12384 CVE-2019-12814 Debian Bug : 930750 More Polymorphic Typing issues were discovered in jackson-databind. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x or logback-core jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server. For Debian 8 "Jessie", these problems have been fixed in version 2.4.2-2+deb8u7. We recommend that you upgrade your jackson-databind packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl0M8zBfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeTY4Q/9FfVWKCgD0UUDIdGRmNRutcG6vrkmD30bUd88QVafXC+IKWnvM8T1QDUQ eJrfEtI5Ao7EevfK5ark6XxYA1JVpqe4cLJtsV4/9VwgczJa2h4RNS52flDDPxZz oumtjbUFRT98wkmJDXn/4GiEDvHCtX2RtdoNtT1EDqB1IjYO4TcBUjgsT4yAUB8u kh4H8Md6ILeBV2+IUGg25oZypmp4ZQY/h1q4Hrfb9crLjLWkod/k1otAxrbJ10W0 Px2bb32MPVlYz+D8Q8YoMSoktuhwOjyi/DMHsIgeF2/h8qlLvrNe5AtX4VAcKc5z mGlNum0M57HgfxOwcmqMFruEcqtU8FIpbUqqZm8K+wtp6x5kQnrZn/eGVG/bih7c f9KDY2KixbSQZwW38FgQMZtbSbhF/Wsa0xHB1n0wXYLHsLlmaJiEmgVbAdcJQEi+ UHpw0MttJT9rXvYLfnK3+NseQ1e+V95m8lHb28z1cqXj4cdFKY14Nf4MpJw4EkXQ 3bvQeuzBaneQDjj1DDKalYSpjwtn1GO2kWfdAJqus8Qwe3aoWHy0TVtpCpQjJG9F vyhwwK58dJTx+YfOJPe3eKPy0UNQrS1nLJYjlj6A2cGUcaj5+YK2zCes8r9WT5Id oG1L7voMiTZVDiAs1Flo4PVO1fNI9VTSoTiEo3Ym4W1ksuvvZHY= =MAUn -----END PGP SIGNATURE-----