Debian Security Advisory
DSA-4542-1 jackson-databind -- security update
- Date Reported:
- 06 Oct 2019
- Affected Packages:
- Security database references:
- In the Debian bugtracking system: Bug 941530, Bug 940498, Bug 933393, Bug 930750.
In Mitre's CVE dictionary: CVE-2019-12384, CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943.
- More information:
It was discovered that jackson-databind, a Java library used to parse JSON and other data formats, did not properly validate user input before attempting deserialization. This allowed an attacker providing maliciously crafted input to perform code execution, or read arbitrary files on the server.
For the oldstable distribution (stretch), these problems have been fixed in version 2.8.6-1+deb9u6.
For the stable distribution (buster), these problems have been fixed in version 2.9.8-3+deb10u1.
We recommend that you upgrade your jackson-databind packages.
For the detailed security status of jackson-databind please refer to its security tracker page at: https://security-tracker.debian.org/tracker/jackson-databind