Fedora has issued an advisory on February 7: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WW7SXEPYMKLVPDYOEHSN52CK3P6WMIQG/ Mageia 5 and Mageia 6 are also affected (only Mageia 6 needs to be updated).
Whiteboard: (none) => MGA6TOOCC: (none) => mageia
Status comment: (none) => Patches available from Fedora
Debian has issued an advisory for this on February 15: https://www.debian.org/security/2018/dsa-4114
Done for Cauldron and also for mga6!
Thanks David! Advisory: ======================== Updated jackson-databind packages fix security vulnerabilities: A deserialization flaw was discovered in the jackson-databind which could allow an unauthenticated user to perform code execution by sending maliciously crafted input to the readValue method of ObjectMapper (CVE-2017-17485). A flaw was found in FasterXML jackson-databind which allows unauthenticated remote code execution due deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist (CVE-2018-5968). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17485 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5968 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/WW7SXEPYMKLVPDYOEHSN52CK3P6WMIQG/ ======================== Updated packages in core/updates_testing: ======================== jackson-databind-2.7.6-1.3.mga6 jackson-databind-javadoc-2.7.6-1.3.mga6 from jackson-databind-2.7.6-1.3.mga6.src.rpm
Version: Cauldron => 6CC: (none) => geiger.david68210Assignee: geiger.david68210 => qa-bugsWhiteboard: MGA6TOO => (none)
MGA6-32 on Dell Latitude D600 Mate No installation issues, clean install, does not seem to break antything. Based on previous updates bugs 21978 and 21428, this should be eniugh to let go.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA6-32-OK
In VirtualBox, M6, Mate, 64-bit Package(s) under test: jackson-databind jackson-databind-javadoc jackson-core jackson-annotations default install of jackson-databind jackson-databind-javadoc jackson-core jackson-annotations [root@localhost wilcal]# urpmi jackson-databind Package jackson-databind-2.7.6-1.2.mga6.noarch is already installed [root@localhost wilcal]# urpmi jackson-databind-javadoc Package jackson-databind-javadoc-2.7.6-1.2.mga6.noarch is already installed [root@localhost wilcal]# urpmi jackson-core Package jackson-core-2.7.6-1.mga6.noarch is already installed [root@localhost wilcal]# urpmi jackson-annotations Package jackson-annotations-2.7.6-1.mga6.noarch is already installed Packages install without error install jackson-databind & jackson-databind-javadoc from updates_testing [root@localhost wilcal]# urpmi jackson-databind Package jackson-databind-2.7.6-1.3.mga6.noarch is already installed [root@localhost wilcal]# urpmi jackson-databind-javadoc Package jackson-databind-javadoc-2.7.6-1.3.mga6.noarch is already installed [root@localhost wilcal]# urpmi jackson-core Package jackson-core-2.7.6-1.mga6.noarch is already installed [root@localhost wilcal]# urpmi jackson-annotations Package jackson-annotations-2.7.6-1.mga6.noarch is already installed Packages update without errors
CC: (none) => wilcal.int
Keywords: (none) => validated_updateWhiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OKCC: (none) => sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0138.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED