| Summary: | jackson-databind new security issues CVE-2017-17485 and CVE-2018-5968 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | davidwhodgins, geiger.david68210, herman.viaene, mageia, sysadmin-bugs, wilcal.int |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA6-32-OK MGA6-64-OK | ||
| Source RPM: | jackson-databind-2.7.6-1.2.mga6.src.rpm | CVE: | |
| Status comment: | Patches available from Fedora | ||
|
Description
David Walser
2018-02-10 22:37:03 CET
David Walser
2018-02-10 22:37:15 CET
Whiteboard:
(none) =>
MGA6TOO
David Walser
2018-02-10 22:42:34 CET
Status comment:
(none) =>
Patches available from Fedora Debian has issued an advisory for this on February 15: https://www.debian.org/security/2018/dsa-4114 Done for Cauldron and also for mga6! Thanks David! Advisory: ======================== Updated jackson-databind packages fix security vulnerabilities: A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending maliciously crafted input to the readValue method of ObjectMapper (CVE-2017-17485). A flaw was found in FasterXML jackson-databind which allows unauthenticated remote code execution due deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist (CVE-2018-5968). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17485 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5968 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WW7SXEPYMKLVPDYOEHSN52CK3P6WMIQG/ ======================== Updated packages in core/updates_testing: ======================== jackson-databind-2.7.6-1.3.mga6 jackson-databind-javadoc-2.7.6-1.3.mga6 from jackson-databind-2.7.6-1.3.mga6.src.rpm Version:
Cauldron =>
6 MGA6-32 on Dell Latitude D600 Mate No installation issues, clean install, does not seem to break antything. Based on previous updates bugs 21978 and 21428, this should be eniugh to let go. CC:
(none) =>
herman.viaene In VirtualBox, M6, Mate, 64-bit Package(s) under test: jackson-databind jackson-databind-javadoc jackson-core jackson-annotations default install of jackson-databind jackson-databind-javadoc jackson-core jackson-annotations [root@localhost wilcal]# urpmi jackson-databind Package jackson-databind-2.7.6-1.2.mga6.noarch is already installed [root@localhost wilcal]# urpmi jackson-databind-javadoc Package jackson-databind-javadoc-2.7.6-1.2.mga6.noarch is already installed [root@localhost wilcal]# urpmi jackson-core Package jackson-core-2.7.6-1.mga6.noarch is already installed [root@localhost wilcal]# urpmi jackson-annotations Package jackson-annotations-2.7.6-1.mga6.noarch is already installed Packages install without error install jackson-databind & jackson-databind-javadoc from updates_testing [root@localhost wilcal]# urpmi jackson-databind Package jackson-databind-2.7.6-1.3.mga6.noarch is already installed [root@localhost wilcal]# urpmi jackson-databind-javadoc Package jackson-databind-javadoc-2.7.6-1.3.mga6.noarch is already installed [root@localhost wilcal]# urpmi jackson-core Package jackson-core-2.7.6-1.mga6.noarch is already installed [root@localhost wilcal]# urpmi jackson-annotations Package jackson-annotations-2.7.6-1.mga6.noarch is already installed Packages update without errors CC:
(none) =>
wilcal.int
William Kenney
2018-02-22 21:33:12 CET
Keywords:
(none) =>
validated_update
Dave Hodgins
2018-02-24 19:31:24 CET
Keywords:
(none) =>
advisory An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0138.html Resolution:
(none) =>
FIXED |