[SECURITY] [DLA 1943-1] jackson-databind security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 1943-1] jackson-databind security update
From: Markus Koschany <apo@debian.org>
Date: Thu, 3 Oct 2019 00:48:42 +0200
Message-id: <[🔎] 3ad1e811-1b2e-9297-024d-b1999fe14675@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : jackson-databind
Version        : 2.4.2-2+deb8u9
CVE ID         : CVE-2019-14540 CVE-2019-16335 CVE-2019-16942
                 CVE-2019-16943
Debian Bug     : 940498 941530

More deserialization flaws were discovered in jackson-databind
relating to the classes in com.zaxxer.hikari.HikariConfig,
com.zaxxer.hikari.HikariDataSource, commons-dbcp and
com.p6spy.engine.spy.P6DataSource, which could allow an
unauthenticated user to perform remote code execution. The issue was
resolved by extending the blacklist and blocking more classes from
polymorphic deserialization.

For Debian 8 "Jessie", these problems have been fixed in version
2.4.2-2+deb8u9.

We recommend that you upgrade your jackson-databind packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl2VKUpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeQVtA//W6ZHx4bRdGm9QLpcZziBwUScasGw+IZGoa6K8RGo33IZyciVTXeTsLRO
WZrS4wRu1Z5U84pOlP6XkXnarty4r1NtdtSRR82OOiXuY++rIYj8VNvPhtEljApT
udw9onmDk7KIvvY9yhXpqjtgU+mKHs41sKM2Y4T5QHOIk62oTZY0Jtzf/EtSWRO6
xmYB/UHOXcXnB8uypd/fkx8NsAngQzJiqmK2Ongx27lca+BaPWRSoVKZo0HYCu4M
PvzVvCiL8VlbiptvA3OCGJG2K0a/M51hUr4pwznnMtU0OVq1DS173KFtwzcDLk6a
zWkXQyRFrjL6FuEQ6volExhklRzk65Ghjf7XT7xzJYkcizb741yfznuDl6umyM2w
lUtA6DW1peXEtA8Y7Szg7mUlGxipdFx+L1MrIA9AJJWpkNnf2OG4v2Gzo/0bYgHu
hzbhwOaXPu8DKyiYlNV87zMkPdknfDjp8P2CmwLYhrDkKxfD5JNdjrTuTxM2uMqK
FCCHUHlUyxzY0gr7i0k9v94AURm33B5+7iyQ9nJ3sGwZNDL/CyhwoI3JtMuOvRVE
kZ2fmZQK33OVpbQUSadRdJ7t0ZIt7EgYPq/eg2L7b1lIWLYiapNfy41XOFX7KvWr
4QbEEZtWRtYor4e4WaJbKGn3R9qa1DvD4qH6h2ukTsovJZGE030=
=wObA
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 1940-1] linux-4.9 security update
Next by Date: [SECURITY] [DLA 1944-1] libapreq2 security update
Previous by thread: [SECURITY] [DLA 1940-1] linux-4.9 security update
Next by thread: [SECURITY] [DLA 1944-1] libapreq2 security update
Index(es):
- Date
- Thread