[SECURITY] [DLA 1703-1] jackson-databind security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 1703-1] jackson-databind security update
From: Markus Koschany <apo@debian.org>
Date: Mon, 4 Mar 2019 13:13:19 +0100
Message-id: <[🔎] 9f6e8398-7184-3e30-25c7-a1c1580ceb69@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : jackson-databind
Version        : 2.4.2-2+deb8u5
CVE ID         : CVE-2018-11307 CVE-2018-12022 CVE-2018-12023 CVE-2018-14718
                 CVE-2018-14719 CVE-2018-14720 CVE-2018-14721 CVE-2018-19360
                 CVE-2018-19361 CVE-2018-19362

Several deserialization flaws were discovered in jackson-databind, a fast
and powerful JSON library for Java, which could allow an unauthenticated
user to perform code execution. The issue was resolved by extending
the blacklist and blocking more classes from polymorphic deserialization.

For Debian 8 "Jessie", these problems have been fixed in version
2.4.2-2+deb8u5.

We recommend that you upgrade your jackson-databind packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlx9Fl9fFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeRF4RAAkTCnHYNQr68Eh8EpRuha6rB2p/s2CF6RKFsaBMJL8wxm/HeNkdpVwtp9
Hns38nmiSdUAwUba7hKNGyj+v59+Je8VOWAPdPmSQJb3xLKNZdSUNL1y2fCtpkxS
XJiiGXG9KaDxRoZNQiStujE7lP8yte9myudoc0NZ9f/JpqczyJo0NruLSY/rNGIw
QXnprMpfSioKMj7+cgL0KVUNImpDtKRiqVq62NetV+Gc32CG+d2u0R/2hbfu20d+
gwh4/QooNk0Q4O2c7anNuoMc+jMyyai1f1tZftJqWaKHKE+33CJJssf5ITLeCj0U
QeJ9fR6kkpHyHsxhQRQYx/ch5gj5d6BEyxmljanrkIw1SU+oy9R+SQBysBs6n2bt
wfdL+ykvMjPIIjfqks3jTRhy1xPX9jEp7wFe/XbD8GHqXlLMgmH3lhp2vHiN1S3w
yyRE+CNh6RViq4KvA4T0yjnHbrnu2F/yO1PPAdsaGqg6tDx9fGtqhlGFaCFyWUs+
f+Ee2akIE5K68e6OBPKBfepOa4Z0lCkFgxZic2TzUIt8meWDhdiDxC2f7KYmyPbE
B7UDz7aHh0+Q1p78iiEfK/XU8P9ivSLsWp3nqr7Al1KobD4LHt3DTQ3mTM8FgL57
HMp7BNaCUoPiIb3otWXpE4fxPrHjahm9545JIfvxKoUyHXch+vY=
=NoXV
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 1702-1] advancecomp security update
Next by Date: [SECURITY] [DLA 1704-1] nss security update
Previous by thread: [SECURITY] [DLA 1702-1] advancecomp security update
Next by thread: [SECURITY] [DLA 1704-1] nss security update
Index(es):
- Date
- Thread