Skip to content
Commits on Source (2)
  • Roberto C. Sánchez's avatar
    Import Debian changes 2.4.2-2+deb8u8 · 16013628
    Roberto C. Sánchez authored and Markus Koschany's avatar Markus Koschany committed 
    jackson-databind (2.4.2-2+deb8u8) jessie-security; urgency=high

  * Non-maintainer upload by the LTS team.
  * Fix CVE-2019-14379, CVE-2019-14439:
    Deserialization flaws were discovered in jackson-databind relating to
    EHCache and logback/jndi, which could allow an unauthenticated user to
    perform remote code execution.  The issue was resolved by extending the
    blacklist and blocking more classes from polymorphic deserialization.
    (Closes: #933393)
    16013628
  • Markus Koschany's avatar
    Import Debian changes 2.4.2-2+deb8u9 · a64fd489
    Markus Koschany authored 
    jackson-databind (2.4.2-2+deb8u9) jessie-security; urgency=high

  * Non-maintainer upload by the LTS team.
  * Fix CVE-2019-14540, CVE-2019-16335, CVE-2019-16942 and CVE-2019-16943.
    Deserialization flaws were discovered in jackson-databind relating to
    com.zaxxer.hikari.HikariConfig, com.zaxxer.hikari.HikariDataSource,
    commons-dbcp and com.p6spy.engine.spy.P6DataSource, which could allow an
    unauthenticated user to perform remote code execution. The issue was
    resolved by extending the blacklist and blocking more classes from
    polymorphic deserialization.
    a64fd489
Show whitespace changes
Inline Side-by-side
debian/changelog
View file @ a64fd489
jackson-databind (2.4.2-2+deb8u9) jessie-security; urgency=high
* Non-maintainer upload by the LTS team.
* Fix CVE-2019-14540, CVE-2019-16335, CVE-2019-16942 and CVE-2019-16943.
Deserialization flaws were discovered in jackson-databind relating to
com.zaxxer.hikari.HikariConfig, com.zaxxer.hikari.HikariDataSource,
commons-dbcp and com.p6spy.engine.spy.P6DataSource, which could allow an
unauthenticated user to perform remote code execution. The issue was
resolved by extending the blacklist and blocking more classes from
polymorphic deserialization.
-- Markus Koschany <apo@debian.org> Wed, 02 Oct 2019 21:36:21 +0200
jackson-databind (2.4.2-2+deb8u8) jessie-security; urgency=high
* Non-maintainer upload by the LTS team.
* Fix CVE-2019-14379, CVE-2019-14439:
Deserialization flaws were discovered in jackson-databind relating to
EHCache and logback/jndi, which could allow an unauthenticated user to
perform remote code execution. The issue was resolved by extending the
blacklist and blocking more classes from polymorphic deserialization.
(Closes: #933393)
-- Roberto C. Sanchez <roberto@debian.org> Mon, 12 Aug 2019 17:40:56 -0400
jackson-databind (2.4.2-2+deb8u7) jessie-security; urgency=high
* Non-maintainer upload by the LTS team.
......
debian/patches/CVE-2019-14379_CVE-2019-14439.patch 0 → 100644
View file @ a64fd489
From ad418eeb974e357f2797aef64aa0e3ffaaa6125b Mon Sep 17 00:00:00 2001
From: Tatu Saloranta <tatu.saloranta@iki.fi>
Date: Thu, 25 Jul 2019 21:58:11 -0700
Subject: [PATCH] Backport #2387, #2389 fixes
Bug-Debian: https://bugs.debian.org/933393
Bug-Upstream: https://github.com/FasterXML/jackson-databind/issues/2387
Bug-Upstream: https://github.com/FasterXML/jackson-databind/issues/2389
Origin: https://github.com/FasterXML/jackson-databind/commit/ad418eeb974e357f2797aef64aa0e3ffaaa6125b
---
.../jackson/databind/jsontype/impl/SubTypeValidator.java | 6 ++++++
1 file changed, 6 insertions(+)
--- jackson-databind.git.orig/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+++ jackson-databind.git/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
@@ -116,6 +116,12 @@
s.add("org.jdom.transform.XSLTransformer");
s.add("org.jdom2.transform.XSLTransformer");
+ // [databind#2387]: EHCache
+ s.add("net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup");
+
+ // [databind#2389]: logback/jndi
+ s.add("ch.qos.logback.core.db.JNDIConnectionSource");
+
DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
}
debian/patches/CVE-2019-14540.patch 0 → 100644
View file @ a64fd489
From: Markus Koschany <apo@debian.org>
Date: Wed, 2 Oct 2019 19:28:36 +0200
Subject: CVE-2019-14540
Bug-Debian: https://bugs.debian.org/940498
Origin: https://github.com/FasterXML/jackson-databind/commit/d4983c740fec7d5576b207a8c30a63d3ea7443de
---
.../fasterxml/jackson/databind/deser/BeanDeserializerFactory.java | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
index 4e044e2..287c4ef 100644
--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
@@ -122,6 +122,12 @@ public class BeanDeserializerFactory
// [databind#2389]: logback/jndi
s.add("ch.qos.logback.core.db.JNDIConnectionSource");
+ // [databind#2410]: HikariCP/metricRegistry config
+ s.add("com.zaxxer.hikari.HikariConfig");
+
+ // [databind#2420]: CXF/JAX-RS provider/XSLT
+ s.add("org.apache.cxf.jaxrs.provider.XSLTJaxbProvider");
+
DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
}
debian/patches/CVE-2019-16335.patch 0 → 100644
View file @ a64fd489
From: Markus Koschany <apo@debian.org>
Date: Wed, 2 Oct 2019 19:29:45 +0200
Subject: CVE-2019-16335
Bug-Debian: https://bugs.debian.org/940498
Origin: https://github.com/FasterXML/jackson-databind/commit/73c1c2cc76e6cdd7f3a5615cbe3207fe96e4d3db
---
.../com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
index 287c4ef..4bc0cc7 100644
--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
@@ -125,6 +125,9 @@ public class BeanDeserializerFactory
// [databind#2410]: HikariCP/metricRegistry config
s.add("com.zaxxer.hikari.HikariConfig");
+ // [databind#2449]: and sub-class thereof
+ s.add("com.zaxxer.hikari.HikariDataSource");
+
// [databind#2420]: CXF/JAX-RS provider/XSLT
s.add("org.apache.cxf.jaxrs.provider.XSLTJaxbProvider");
debian/patches/CVE-2019-16942-and-CVE-2019-16943.patch 0 → 100644
View file @ a64fd489
From: Markus Koschany <apo@debian.org>
Date: Wed, 2 Oct 2019 19:38:13 +0200
Subject: CVE-2019-16942 and CVE-2019-16943
Bug-Debian: https://bugs.debian.org/941530
Origin: https://github.com/FasterXML/jackson-databind/commit/9593e16cf5a3d289a9c584f7123639655de9ddac
---
.../com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
index 4bc0cc7..57cc035 100644
--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
@@ -131,6 +131,10 @@ public class BeanDeserializerFactory
// [databind#2420]: CXF/JAX-RS provider/XSLT
s.add("org.apache.cxf.jaxrs.provider.XSLTJaxbProvider");
+ // [databind#2478]: comons-dbcp, p6spy
+ s.add("org.apache.commons.dbcp.datasources.SharedPoolDataSource");
+ s.add("com.p6spy.engine.spy.P6DataSource");
+
DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
}
debian/patches/More-Polymorhpic-Typing-issue-fixes.patch 0 → 100644
View file @ a64fd489
From: Markus Koschany <apo@debian.org>
Date: Wed, 2 Oct 2019 19:38:53 +0200
Subject: More Polymorhpic-Typing issue fixes
CVE not yet assigned
---
.../fasterxml/jackson/databind/deser/BeanDeserializerFactory.java | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
index 57cc035..39a8ee4 100644
--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
@@ -131,6 +131,13 @@ public class BeanDeserializerFactory
// [databind#2420]: CXF/JAX-RS provider/XSLT
s.add("org.apache.cxf.jaxrs.provider.XSLTJaxbProvider");
+ // [databind#2462]: commons-configuration / -2
+ s.add("org.apache.commons.configuration.JNDIConfiguration");
+ s.add("org.apache.commons.configuration2.JNDIConfiguration");
+
+ // [databind#2469]: xalan2
+ s.add("org.apache.xalan.lib.sql.JNDIConnectionPool");
+
// [databind#2478]: comons-dbcp, p6spy
s.add("org.apache.commons.dbcp.datasources.SharedPoolDataSource");
s.add("com.p6spy.engine.spy.P6DataSource");
debian/patches/series
View file @ a64fd489
......@@ -13,3 +13,8 @@ CVE-2018-19360.patch
CVE-2019-12086.patch
CVE-2019-12384.patch
CVE-2019-12814.patch
CVE-2019-14379_CVE-2019-14439.patch
CVE-2019-14540.patch
CVE-2019-16335.patch
CVE-2019-16942-and-CVE-2019-16943.patch
More-Polymorhpic-Typing-issue-fixes.patch