[SECURITY] [DLA 2030-1] jackson-databind security update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 2030-1] jackson-databind security update
From: Markus Koschany <apo@debian.org>
Date: Tue, 10 Dec 2019 19:54:11 +0100
Message-id: <[🔎] adaf982e-2c14-cc32-a786-97802df65a45@debian.org>
Mail-followup-to: debian-lts@lists.debian.org
Reply-to: debian-lts@lists.debian.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : jackson-databind
Version        : 2.4.2-2+deb8u10
CVE ID         : CVE-2019-17267 CVE-2019-17531

More deserialization flaws were discovered in jackson-databind which
could allow an unauthenticated user to perform remote code execution.
The issue was resolved by extending the blacklist and blocking more
classes from polymorphic deserialization.

For Debian 8 "Jessie", these problems have been fixed in version
2.4.2-2+deb8u10.

We recommend that you upgrade your jackson-databind packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
-----BEGIN PGP SIGNATURE-----

iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl3v6dJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeTAkQ//T3ec5xV91lcC7u9kGlDDnYEzxlDF9RSiVOXfjI75yPd6vhYBoxHh+OCZ
ifJ5skjUf5dsRHmGtdoLPUcQ3hNu4U7Td7rHh5i9m1rROaKVOfmke/98hCt4H2dh
LHWR6FCK6F6Qi/5EvzTgu1pP2UB+QbWgt8sy3Ria0lU9+K46G967A7JWhODdkeno
Bgjv9L1dB/wvraYfBRBeC3OmvJo9J+gDUKd6Asf/hsodGB1X5CynpxjVu46ejwff
uGnW73K4HZycok8BV2jn+cFE5FQWwNISibX4RcuUOwFv428tkNSxYoED9E9XxaVQ
uBTbjnuTPHxgdyu9+oPJVrGl4mQJmrNwcNgJvgQxqi8AbN/DpmQAwCoc8g3P1Yd6
+9Dl3lmX+NTE43QAGl+bTms/DHy/4VPsPV2qpw65rHKPphQBwKifVTPrXaIuPfRq
2c2Sij8m4wa3MlbYTTIOMtJS8mmd65V+EJlrFk4KeHf08prZjY44K652cJaSPCO4
L5g+WAIPKaLWG5j5hlBtHpIcq+185FwWFBTB3JsACtEiFBzz4Y1Lm0Pi0DU/nhj6
z+43IOC9I4k1t12/ff9mWNrtQNJsEMwhZv/hnbNcIRzyJSpzV22+1aSlcoibTvfg
cb5oERNVAXEjc7g15Kclp5oycS6A4wtUv/uuFQIMSJ2B20cdNPY=
=k6JS
-----END PGP SIGNATURE-----

Reply to:

Prev by Date: [SECURITY] [DLA 2031-1] freeimage security update
Next by Date: [SECURITY] [DLA 2032-1] cacti security update
Previous by thread: [SECURITY] [DLA 2031-1] freeimage security update
Next by thread: [SECURITY] [DLA 2032-1] cacti security update
Index(es):
- Date
- Thread