Fedora has issued an advisory today (April 1): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/NNUEGJGG6L6ZDTLKTHYM6STZUU53L6DQ/ Mageia 5 and Mageia 6 are also affected (only Mageia 6 needs to be fixed).
Whiteboard: (none) => MGA6TOOCC: (none) => geiger.david68210
Debian has issued an advisory for this on May 3: https://www.debian.org/security/2018/dsa-4190
Status comment: (none) => Patches available from Fedora and Debian
jackson-databind-2.9.4-1.mga7 uploaded for Cauldron by Jani with the fix.
Whiteboard: MGA6TOO => (none)CC: (none) => jani.valimaaVersion: Cauldron => 6
Fedora has issued several advisories today, fixing several security issues in jackson-databind and one in jackson-dataformat-xml. Their advisories update all of the jackson-* packages to 2.9.8 (and bouncycastle to 1.61). Our package in Cauldron are already updated. These are the advisories for jackson-databind and jackson-dataformat-xml, the ones directly implicated by the CVEs: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KIJ7D2V7DS5AIHWF5OTSY6IADDMUE4ND/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FDBHQ6N2UWY27LDPCZAP5FEVGP365224/ CVE-2016-7051 is the issue for jackson-dataformat-xml. The jackson-databind issues are also fixed in jackson-databind 2.7.9.5. The slf4j issue in Bug 22835 is related to one of these issues and also needs to be fixed.
Severity: major => criticalSummary: jackson-databind new security issue CVE-2018-7489 => jackson-databind new security issues CVE-2018-7489, CVE-2018-1202[23], CVE-2018-1471[89], CVE-2018-1472[01], CVE-2018-1936[0-2]
Bug 24394 filed for the jackson-dataformat-xml issue.
Depends on: (none) => 24394, 22835
Debian has issued an advisory for this on May 24: https://www.debian.org/security/2019/dsa-4452
Summary: jackson-databind new security issues CVE-2018-7489, CVE-2018-1202[23], CVE-2018-1471[89], CVE-2018-1472[01], CVE-2018-1936[0-2] => jackson-databind new security issues CVE-2018-7489, CVE-2018-11307, CVE-2018-1202[23], CVE-2018-1471[89], CVE-2018-1472[01], CVE-2018-1936[0-2], CVE-2019-12086
Depends on: (none) => 25266
Mageia 6 is EOL.
Status: NEW => RESOLVEDResolution: (none) => OLD