It has been announced on November 2 that the fix for CVE-2017-7525 (Bug 21428) was incomplete: http://openwall.com/lists/oss-security/2017/11/02/3
CC: (none) => geiger.david68210Whiteboard: (none) => MGA6TOO, MGA5TOO
Fixed on Cauldron, mga6 and also mga5!
Advisory: ======================== Updated jackson-databind packages fix security vulnerability: An unsafe deserialization vulnerability was found due to incomplete blacklisting of the unsafe elements, due to an incomplete fix for CVE-2017-7525 (CVE-2017-15095). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15095 http://openwall.com/lists/oss-security/2017/11/02/3 https://bugzilla.redhat.com/show_bug.cgi?id=1506612 ======================== Updated packages in core/updates_testing: ======================== jackson-databind-2.4.3-4.2.mga5 jackson-databind-2.7.6-1.2.mga6 jackson-databind-javadoc-2.7.6-1.2.mga6 from SRPMS: jackson-databind-2.4.3-4.2.mga5.src.rpm jackson-databind-2.7.6-1.2.mga6.src.rpm
CC: (none) => mageiaAssignee: mageia => qa-bugsWhiteboard: MGA6TOO, MGA5TOO => MGA5TOOVersion: Cauldron => 6
Keywords: (none) => advisory
Mageia 6 on x86_64 This has turned up before, and previously nothing was found which uses jackson-databind which does not lead back to java development frameworks of some kind although docker-client is mentioned. However, the testing of jackson-dataformat-xml around that time involved a java snippet which listed com.fasterxml.jackson.databind.* in the module requirements (imports). It might be worth running.
CC: (none) => tarazed25
MGA5-32 on Asus A6000VMXfce No installation issues. Previous update on this was bug 21428, which was let go on a clean install. Doing a search in Bugzilla for jackson-dataformat only turns up this current bug. If Len can shed some more light here, I'm willing to keep this bug open for a while.
CC: (none) => herman.viaene
In VirtualBox, M6, Plasma, 64-bit Package(s) under test: jackson-databind jackson-databind-javadoc default install of jackson-databind & jackson-databind-javadoc [root@localhost wilcal]# urpmi jackson-databind Package jackson-databind-2.7.6-1.1.mga6.noarch is already installed [root@localhost wilcal]# urpmi jackson-databind-javadoc Package jackson-databind-javadoc-2.7.6-1.1.mga6.noarch is already installed Packages install without error install jackson-databind & jackson-databind-javadoc from updates_testing [root@localhost wilcal]# urpmi jackson-databind Package jackson-databind-2.7.6-1.2.mga6.noarch is already installed [root@localhost wilcal]# urpmi jackson-databind-javadoc Package jackson-databind-javadoc-2.7.6-1.2.mga6.noarch is already installed Packages update without errors
CC: (none) => wilcal.int
Whiteboard: MGA5TOO => MGA5TOO MGA6-64-OK
In VirtualBox, M6, Plasma, 32-bit Package(s) under test: jackson-databind jackson-databind-javadoc default install of jackson-databind & jackson-databind-javadoc [root@localhost wilcal]# urpmi jackson-databind Package jackson-databind-2.7.6-1.1.mga6.noarch is already installed [root@localhost wilcal]# urpmi jackson-databind-javadoc Package jackson-databind-javadoc-2.7.6-1.1.mga6.noarch is already installed Packages install without error install jackson-databind & jackson-databind-javadoc from updates_testing [root@localhost wilcal]# urpmi jackson-databind Package jackson-databind-2.7.6-1.2.mga6.noarch is already installed [root@localhost wilcal]# urpmi jackson-databind-javadoc Package jackson-databind-javadoc-2.7.6-1.2.mga6.noarch is already installed Packages update without errors
Whiteboard: MGA5TOO MGA6-64-OK => MGA5TOO MGA6-32-OK MGA6-64-OK
In VirtualBox, M5.1, KDE, 64-bit Package(s) under test: jackson-databind jackson-databind-javadoc default install of jackson-databind & jackson-databind-javadoc [root@localhost wilcal]# urpmi jackson-databind Package jackson-databind-2.4.3-4.1.mga5.noarch is already installed [root@localhost wilcal]# urpmi jackson-databind-javadoc Package jackson-databind-javadoc-2.4.3-4.mga5.noarch is already installed Packages install without error install jackson-databind & jackson-databind-javadoc from updates_testing [root@localhost wilcal]# urpmi jackson-databind Package jackson-databind-2.4.3-4.2.mga5.noarch is already installed [root@localhost wilcal]# urpmi jackson-databind-javadoc Package jackson-databind-javadoc-2.4.3-4.mga5.noarch is already installed Packages update without errors
Whiteboard: MGA5TOO MGA6-32-OK MGA6-64-OK => MGA5TOO MGA5-64-OK MGA6-32-OK MGA6-64-OK
In VirtualBox, M5.1, KDE, 32-bit Package(s) under test: jackson-databind jackson-databind-javadoc default install of jackson-databind & jackson-databind-javadoc [root@localhost wilcal]# urpmi jackson-databind Package jackson-databind-2.4.3-4.1.mga5.noarch is already installed [root@localhost wilcal]# urpmi jackson-databind-javadoc Package jackson-databind-javadoc-2.4.3-4.mga5.noarch is already installed Packages install without error install jackson-databind & jackson-databind-javadoc from updates_testing [root@localhost wilcal]# urpmi jackson-databind Package jackson-databind-2.4.3-4.2.mga5.noarch is already installed [root@localhost wilcal]# urpmi jackson-databind-javadoc Package jackson-databind-javadoc-2.4.3-4.mga5.noarch is already installed Packages update without errors
Whiteboard: MGA5TOO MGA5-64-OK MGA6-32-OK MGA6-64-OK => MGA5TOO MGA5-32-OK MGA5-64-OK MGA6-32-OK MGA6-64-OK
Validating the update based on the above comments.
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2017-0408.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED