[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

[SECURITY] [DLA 1798-1] jackson-databind security update



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : jackson-databind
Version        : 2.4.2-2+deb8u6
CVE ID         : CVE-2019-12086
Debian Bug     : 929177

A Polymorphic Typing issue was discovered in jackson-databind, a JSON
library for Java. When Default Typing is enabled (either globally or
for a specific property) for an externally exposed JSON endpoint, the
service has the mysql-connector-java jar (8.0.14 or earlier) in the
classpath, and an attacker can host a crafted MySQL server reachable
by the victim, an attacker can send a crafted JSON message that allows
them to read arbitrary local files on the server. This occurs because of
missing com.mysql.cj.jdbc.admin.MiniAdmin validation.


For Debian 8 "Jessie", this problem has been fixed in version
2.4.2-2+deb8u6.

We recommend that you upgrade your jackson-databind packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAlzj9iNfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeRb4w//XIsVU4oOTdq5J3UF5pe3NjlCDtV+j5xqVXVBj6rGWSdfmTw34XRzXWff
X3wp9yszOCj+/uYroO95M7NQmMGBGq/z9CnDjf2DPcGszzzN0QrI1HZmJJR4TPA7
YCuGOStyNBZndXm/pIaG+Zs+LWrm3fbZ9ogGx/GdJWYSCdxYV9ykoEJFqyszjPVn
3BVZbfe5DhXraysX6GLeiq9WU3dRZ4LRPDODzfezcq7KhDYJCgvweffCQgiUy/AX
oTaC9GF96TPSWqSkskR39s9fq7PDQvYoPDryu96w92WFOa/oDqU0oJIHND67qr/o
Zm08UbSDw5pd1vFAVA3NNuh6jb6OdI887WhWICh++dALq9l7Ux+hSNO3yQwQ+gfi
sWw4M768VsO+aEVOxH0TwBUSXAC0itMuW6Hd727d2JNWLZv12ErFomyKnYAGspMg
G/z/cZOGg32aqNUcCVs9tzSqhDICTlJzreIlEphOoNnE9maiuOEwPyVT9WwENY+8
86HEdqx8YTKyt2RVjIpJAXzyKsUlfYg5QjJjwyCi7dlTN+ovo+41LCmAiDHtaCGk
WhMFxiANFq1tXbJrIYVGUnLu7mclA0tcLV4BKQcjPk4xfZBQbsGFBOc3cvsFVe24
f52MFN0/R+cGB3E6j18pRWrhaOily0FhkqTVYYXCuzCtMNzAZPE=
=JzGn
-----END PGP SIGNATURE-----


Reply to: