Bug 22859

Summary: jackson-databind new security issues CVE-2018-7489, CVE-2018-11307, CVE-2018-1202[23], CVE-2018-1471[89], CVE-2018-1472[01], CVE-2018-1936[0-2], CVE-2019-12086
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Java Stack Maintainers <java>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: geiger.david68210, jani.valimaa
Version: 6   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: jackson-databind-2.7.6-4.mga7.src.rpm CVE:
Status comment: Patches available from Fedora and Debian
Bug Depends on: 22835, 24394, 25266    
Bug Blocks:    

Description David Walser 2018-04-01 17:30:36 CEST 
Fedora has issued an advisory today (April 1):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NNUEGJGG6L6ZDTLKTHYM6STZUU53L6DQ/

Mageia 5 and Mageia 6 are also affected (only Mageia 6 needs to be fixed).
David Walser 2018-04-01 17:30:48 CEST

Whiteboard: (none) => MGA6TOO
CC: (none) => geiger.david68210

Comment 1 David Walser 2018-05-04 07:36:47 CEST 
Debian has issued an advisory for this on May 3:
https://www.debian.org/security/2018/dsa-4190
David Walser 2018-05-04 08:33:09 CEST

Status comment: (none) => Patches available from Fedora and Debian

Comment 2 David Walser 2019-01-01 05:07:26 CET 
jackson-databind-2.9.4-1.mga7 uploaded for Cauldron by Jani with the fix.

Whiteboard: MGA6TOO => (none)
CC: (none) => jani.valimaa
Version: Cauldron => 6

Comment 3 David Walser 2019-02-20 23:23:40 CET 
Fedora has issued several advisories today, fixing several security issues in jackson-databind and one in jackson-dataformat-xml.  Their advisories update all of the jackson-* packages to 2.9.8 (and bouncycastle to 1.61).  Our package in Cauldron are already updated.

These are the advisories for jackson-databind and jackson-dataformat-xml, the ones directly implicated by the CVEs:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KIJ7D2V7DS5AIHWF5OTSY6IADDMUE4ND/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FDBHQ6N2UWY27LDPCZAP5FEVGP365224/

CVE-2016-7051 is the issue for jackson-dataformat-xml.

The jackson-databind issues are also fixed in jackson-databind 2.7.9.5.

The slf4j issue in Bug 22835 is related to one of these issues and also needs to be fixed.

Severity: major => critical
Summary: jackson-databind new security issue CVE-2018-7489 => jackson-databind new security issues CVE-2018-7489, CVE-2018-1202[23], CVE-2018-1471[89], CVE-2018-1472[01], CVE-2018-1936[0-2]

Comment 4 David Walser 2019-02-20 23:26:24 CET 
Bug 24394 filed for the jackson-dataformat-xml issue.

Depends on: (none) => 24394, 22835

Comment 5 David Walser 2019-08-11 20:55:22 CEST 
Debian has issued an advisory for this on May 24:
https://www.debian.org/security/2019/dsa-4452

Summary: jackson-databind new security issues CVE-2018-7489, CVE-2018-1202[23], CVE-2018-1471[89], CVE-2018-1472[01], CVE-2018-1936[0-2] => jackson-databind new security issues CVE-2018-7489, CVE-2018-11307, CVE-2018-1202[23], CVE-2018-1471[89], CVE-2018-1472[01], CVE-2018-1936[0-2], CVE-2019-12086

David Walser 2019-08-11 20:57:59 CEST

Depends on: (none) => 25266

Comment 6 David Walser 2019-10-31 04:36:26 CET 
Mageia 6 is EOL.

Status: NEW => RESOLVED
Resolution: (none) => OLD