Bug 21978

Fixed on Cauldron, mga6 and also mga5!

Advisory:
========================

Updated jackson-databind packages fix security vulnerability:

An unsafe deserialization vulnerability was found due to incomplete
blacklisting of the unsafe elements, due to an incomplete fix for
CVE-2017-7525 (CVE-2017-15095).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15095
http://openwall.com/lists/oss-security/2017/11/02/3
https://bugzilla.redhat.com/show_bug.cgi?id=1506612
========================

Updated packages in core/updates_testing:
========================
jackson-databind-2.4.3-4.2.mga5
jackson-databind-2.7.6-1.2.mga6
jackson-databind-javadoc-2.7.6-1.2.mga6

from SRPMS:
jackson-databind-2.4.3-4.2.mga5.src.rpm
jackson-databind-2.7.6-1.2.mga6.src.rpm

CC: (none) => mageia
Assignee: mageia => qa-bugs
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOO
Version: Cauldron => 6

Mageia 6 on x86_64

This has turned up before, and previously nothing was found which uses jackson-databind which does not lead back to java development frameworks of some kind although docker-client is mentioned.

However, the testing of jackson-dataformat-xml around that time involved a java snippet which listed com.fasterxml.jackson.databind.* in the module requirements (imports).

It might be worth running.

CC: (none) => tarazed25

MGA5-32 on Asus A6000VMXfce
No installation issues.
Previous update on this was bug 21428, which was let go on a clean install.
Doing a search in Bugzilla for jackson-dataformat only turns up this current bug. If Len can shed some more light here, I'm willing to keep this bug open for a while.

CC: (none) => herman.viaene

In VirtualBox, M6, Plasma, 64-bit

Package(s) under test:
jackson-databind jackson-databind-javadoc

default install of jackson-databind & jackson-databind-javadoc

[root@localhost wilcal]# urpmi jackson-databind
Package jackson-databind-2.7.6-1.1.mga6.noarch is already installed
[root@localhost wilcal]# urpmi jackson-databind-javadoc
Package jackson-databind-javadoc-2.7.6-1.1.mga6.noarch is already installed

Packages install without error

install jackson-databind & jackson-databind-javadoc from updates_testing

[root@localhost wilcal]# urpmi jackson-databind
Package jackson-databind-2.7.6-1.2.mga6.noarch is already installed
[root@localhost wilcal]# urpmi jackson-databind-javadoc
Package jackson-databind-javadoc-2.7.6-1.2.mga6.noarch is already installed

Packages update without errors

CC: (none) => wilcal.int

In VirtualBox, M6, Plasma, 32-bit

Package(s) under test:
jackson-databind jackson-databind-javadoc

default install of jackson-databind & jackson-databind-javadoc

[root@localhost wilcal]# urpmi jackson-databind
Package jackson-databind-2.7.6-1.1.mga6.noarch is already installed
[root@localhost wilcal]# urpmi jackson-databind-javadoc
Package jackson-databind-javadoc-2.7.6-1.1.mga6.noarch is already installed

Packages install without error

install jackson-databind & jackson-databind-javadoc from updates_testing

[root@localhost wilcal]# urpmi jackson-databind
Package jackson-databind-2.7.6-1.2.mga6.noarch is already installed
[root@localhost wilcal]# urpmi jackson-databind-javadoc
Package jackson-databind-javadoc-2.7.6-1.2.mga6.noarch is already installed

Packages update without errors

Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-32-OK MGA6-64-OK

In VirtualBox, M5.1, KDE, 64-bit

Package(s) under test:
jackson-databind jackson-databind-javadoc

default install of jackson-databind & jackson-databind-javadoc

[root@localhost wilcal]# urpmi jackson-databind
Package jackson-databind-2.4.3-4.1.mga5.noarch is already installed
[root@localhost wilcal]# urpmi jackson-databind-javadoc
Package jackson-databind-javadoc-2.4.3-4.mga5.noarch is already installed

Packages install without error

install jackson-databind & jackson-databind-javadoc from updates_testing

[root@localhost wilcal]# urpmi jackson-databind
Package jackson-databind-2.4.3-4.2.mga5.noarch is already installed
[root@localhost wilcal]# urpmi jackson-databind-javadoc
Package jackson-databind-javadoc-2.4.3-4.mga5.noarch is already installed

Packages update without errors

Whiteboard: MGA5TOO MGA6-32-OK MGA6-64-OK => MGA5TOO MGA5-64-OK MGA6-32-OK MGA6-64-OK

In VirtualBox, M5.1, KDE, 32-bit

Package(s) under test:
jackson-databind jackson-databind-javadoc

default install of jackson-databind & jackson-databind-javadoc

[root@localhost wilcal]# urpmi jackson-databind
Package jackson-databind-2.4.3-4.1.mga5.noarch is already installed
[root@localhost wilcal]# urpmi jackson-databind-javadoc
Package jackson-databind-javadoc-2.4.3-4.mga5.noarch is already installed

Packages install without error

install jackson-databind & jackson-databind-javadoc from updates_testing

[root@localhost wilcal]# urpmi jackson-databind
Package jackson-databind-2.4.3-4.2.mga5.noarch is already installed
[root@localhost wilcal]# urpmi jackson-databind-javadoc
Package jackson-databind-javadoc-2.4.3-4.mga5.noarch is already installed

Packages update without errors

Whiteboard: MGA5TOO MGA5-64-OK MGA6-32-OK MGA6-64-OK => MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-32-OK MGA6-64-OK

Validating the update based on the above comments.

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2017-0408.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED