Fedora has issued an advisory today (July 31): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CZTM7JEB4G74ZPXYZSQCSH3SC64D2MJF/ Mageia 5 and Mageia 6 are also affected.
CC: (none) => geiger.david68210Whiteboard: (none) => MGA6TOO, MGA5TOO
QA Contact: (none) => securityComponent: RPM Packages => Security
Severity: normal => critical
Fixed for Cauldron and also mga6! But for mga5 I don't know how to fix this as the code has pretty changed.
Hi David. I finally got a chance to look at the code, and it doesn't actually look like it changed that much. It looks like it should be fairly easy to integrate this patch into it. It's actually two patches. The second hunk goes at the very end of the class definition in each patch. The first hunk of the first patch goes in the method: public JsonDeserializer<Object> createBeanDeserializer(DeserializationContext ctxt, JavaType type, BeanDescription beanDesc) throws JsonMappingException and the first hunk of the second patch goes right in the beginning of the class definition. Whether it builds or if some adjustments would be necessary, I'm not sure. For future reference, the mga6 update consists of: jackson-databind-2.7.6-1.1.mga6 jackson-databind-javadoc-2.7.6-1.1.mga6
Whiteboard: MGA6TOO, MGA5TOO => MGA5TOOVersion: Cauldron => 6
pushed in updates_testing for mageia6 src.rpm: jackson-databind-2.4.3-4.1.mga5
Assignee: mageia => qa-bugs
Advisory: ======================== Updated jackson-databind packages fix security vulnerability: A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper (CVE-2017-7525). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7525 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/CZTM7JEB4G74ZPXYZSQCSH3SC64D2MJF/ ======================== Updated packages in core/updates_testing: ======================== jackson-databind-2.4.3-4.1.mga5 jackson-databind-2.7.6-1.1.mga6 jackson-databind-javadoc-2.7.6-1.1.mga6 from SRPMS: jackson-databind-2.4.3-4.1.mga5.src.rpm jackson-databind-2.7.6-1.1.mga6.src.rpm
mga6 x86_64 All the packages which use this package seem to be connected mainly with build systems of interest to Java developers although there is mention of docker-client. There appears to be no way to exercise this at a beginner's level and as there is no reproducer available we shall have to be content with a clean install. Before the update installation of jackson-databind pulled in jackson-annotations and jackson-core. The update installed cleanly: $ rpm -qa | grep jackson jackson-databind-2.7.6-1.1.mga6 jackson-annotations-2.7.6-1.mga6 jackson-core-2.7.6-1.mga6 Fine for 64-bits.
CC: (none) => tarazed25
Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK
mga6 i586 in virtualbox Installed jackson-databind then updated to jackson-databind-2.7.6-1.1.mga6.noarch. Good, as far as it goes.
Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-64-OK MGA6-32-OK
mga5 X86_64 Upgraded jackson-databind. $ rpm -qa | grep jackson jackson-annotations-2.4.3-4.mga5 jackson-databind-javadoc-2.4.3-4.mga5 jackson-core-2.4.2-4.mga5 jackson-databind-2.4.3-4.1.mga5 For the record, the javadoc update was also installed on the mga6 machine.
Whiteboard: MGA5TOO MGA6-64-OK MGA6-32-OK => MGA5TOO MGA6-64-OK MGA6-32-OK MGA5-64-OK
jackson-databind-2.4.3-4.1.mga5 installed cleanly on a virtualbox running mga5. Other components already installed.
Whiteboard: MGA5TOO MGA6-64-OK MGA6-32-OK MGA5-64-OK => MGA5TOO MGA6-64-OK MGA6-32-OK MGA5-64-OK MGA5-32-OK
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
Whiteboard: MGA5TOO MGA6-64-OK MGA6-32-OK MGA5-64-OK MGA5-32-OK => MGA5TOO MGA6-64-OK MGA6-32-OK MGA5-64-OK MGA5-32-OK advisoryCC: (none) => lewyssmith
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0255.html
Status: NEW => RESOLVEDResolution: (none) => FIXED