Debian-LTS has issued an advisory on May 2: https://www.debian.org/lts/security/2022/dla-2990 The issue is fixed upstream in 2.13.0. Mageia 8 is also affected.
Status comment: (none) => Fixed upstream in 2.13.0Whiteboard: (none) => MGA8TOO
SUSE has issued an advisory for this today (May 16): https://lists.suse.com/pipermail/sle-security-updates/2022-May/011022.html
Equivalent openSUSE advisory: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WTX6HAJ7KVGVZQ6APMA35RM7R7BKVSMB/
SUSE has issued an advisory on November 15: https://lists.suse.com/pipermail/sle-security-updates/2022-November/012934.html The issues are fixed upstream in 2.14.0-rc1. Mageia 8 is also affected.
Status comment: Fixed upstream in 2.13.0 => Fixed upstream in 2.14.0-rc1Summary: jackson-databind new security issue CVE-2020-36518 => jackson-databind new security issues CVE-2020-36518 and CVE-2022-4200[34]
(In reply to David Walser from comment #3) > SUSE has issued an advisory on November 15: > https://lists.suse.com/pipermail/sle-security-updates/2022-November/012934. > html > > The issues are fixed upstream in 2.14.0-rc1. > > Mageia 8 is also affected. Equivalent openSUSE advisory: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3IQ2OJSME4FMTGEF2CROURE4WDT3DEVB/
Debian has issued an advisory for this on November 17: https://www.debian.org/security/2022/dsa-5283
Debian-LTS has issued an advisory for this on November 27: https://www.debian.org/lts/security/2022/dla-3207
RedHat has issued an advisory for CVE-2020-36518 today (May 9): https://access.redhat.com/errata/RHSA-2023:2312
Whiteboard: MGA8TOO => (none)CC: (none) => nicolas.salgueroVersion: Cauldron => 9
Suggested advisory: ======================== The updated packages fix security vulnerabilities: jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. (CVE-2020-36518) In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. (CVE-2022-42003) In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization. (CVE-2022-42004) References: https://www.debian.org/lts/security/2022/dla-2990 https://lists.suse.com/pipermail/sle-security-updates/2022-May/011022.html https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WTX6HAJ7KVGVZQ6APMA35RM7R7BKVSMB/ https://lists.suse.com/pipermail/sle-security-updates/2022-November/012934.html https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3IQ2OJSME4FMTGEF2CROURE4WDT3DEVB/ https://www.debian.org/security/2022/dsa-5283 https://www.debian.org/lts/security/2022/dla-3207 https://access.redhat.com/errata/RHSA-2023:2312 ======================== Updated packages in core/updates_testing: ======================== jackson-databind-2.11.4-2.1.mga9 jackson-databind-javadoc-2.11.4-2.1.mga9 from SRPM: jackson-databind-2.11.4-2.1.mga9.src.rpm
Assignee: java => qa-bugsStatus: NEW => ASSIGNEDCVE: (none) => CVE-2020-36518, CVE-2022-42003, CVE-2022-42004Source RPM: jackson-databind-2.11.4-1.mga9.src.rpm => jackson-databind-2.11.4-2.mga9.src.rpmStatus comment: Fixed upstream in 2.14.0-rc1 => (none)
Created attachment 14461 [details] script to exercise jackson-dataformat From gitHub with annotations from Frank Griffin and Martin Whitaker.
CC: (none) => tarazed25
mageia9, x64 Looked at /usr/share/java/ Tried `java -jar jackson-databind.jar` but that does not run withoutinfrastructure of some kind. Out of my depth there. $ java -jar /usr/share/java/jackson-databind.jar no main manifest attribute, in /usr/share/java/jackson-databind.jar Looked for PoC without success. Found a script in my qa tree under jackson, attached here. $ javac -cp ".:/usr/share/java/*" SimpleTest.java SimpleTest.java:10: error: package com.fasterxml.jackson.dataformat.xml does not exist import com.fasterxml.jackson.dataformat.xml.*; ^ SimpleTest.java:33: error: cannot find symbol ObjectMapper xmlMapper = new XmlMapper(); ^ symbol: class XmlMapper location: class SimpleTest 2 errors It appears that the previous attempt in 2016 was more successful because there is a file in the same directory called Simple.class compiled from Simple.java using SimpleTest.java. A lot may have changed in eight years so the code could be out of date. Updated the two packages. The simple test still fails. I am hesitant about pushing this without an expert examining the error messages to eliminate build problems.
Keywords: (none) => advisory
VM mageia 9 x86_64 Install current version, update to testing version and unisntall LC_ALL=C urpmi jackson-databind jackson-databind-javadoc To satisfy dependencies, the following packages are going to be installed: Package Version Release Arch (medium "Core Release") jackson-annotations 2.11.4 2.mga9 noarch jackson-core 2.11.4 2.mga9 noarch jackson-databind 2.11.4 2.mga9 noarch jackson-databind-javadoc 2.11.4 2.mga9 noarch 45MB of additional disk space will be used. 3.4MB of packages will be retrieved. Proceed with the installation of the 4 packages? (Y/n) y https://mirrors.kernel.org/mageia/distrib/9/x86_64/media/core/release/jackson-core-2.11.4-2.mga9.noarch.rpm https://mirrors.kernel.org/mageia/distrib/9/x86_64/media/core/release/jackson-databind-javadoc-2.11.4-2.mga9.noarch.rpm https://mirrors.kernel.org/mageia/distrib/9/x86_64/media/core/release/jackson-annotations-2.11.4-2.mga9.noarch.rpm https://mirrors.kernel.org/mageia/distrib/9/x86_64/media/core/release/jackson-databind-2.11.4-2.mga9.noarch.rpm installing jackson-databind-2.11.4-2.mga9.noarch.rpm jackson-annotations-2.11.4-2.mga9.noarch.rpm jackson-databind-javadoc-2.11.4-2.mga9.noarch.rpm jackson-core-2.11.4-2.mga9.noarch.rpm from /var/cache/urpmi/rpms Preparing... ########################################################################################### 1/4: jackson-core ########################################################################################### 2/4: jackson-annotations ########################################################################################### 3/4: jackson-databind ########################################################################################### 4/4: jackson-databind-javadoc ########################################################################################### LC_ALL=C urpmi --auto --auto-update medium "QA Testing (64-bit)" is up-to-date medium "Core Release" is up-to-date https://mirrors.kernel.org/mageia/distrib/9/x86_64/media/core/updates/media_info/20240316-013725-synthesis.hdlist.cz updated medium "Core Updates" medium "Nonfree Release" is up-to-date medium "Nonfree Updates" is up-to-date medium "Tainted Release" is up-to-date medium "Tainted Updates" is up-to-date installing jackson-databind-2.11.4-2.1.mga9.noarch.rpm jackson-databind-javadoc-2.11.4-2.1.mga9.noarch.rpm from //home/qateam/qa-testing/x86_64 Preparing... ########################################################################################### 1/2: jackson-databind-javadoc ########################################################################################### 2/2: jackson-databind ########################################################################################### 1/2: removing jackson-databind-javadoc-2.11.4-2.mga9.noarch ########################################################################################### 2/2: removing jackson-databind-2.11.4-2.mga9.noarch ########################################################################################### [root@localhost ~]# LC_ALL=C urpme $(rpm -qa|grep jackson-databind) removing jackson-databind-2.11.4-2.1.mga9.noarch jackson-databind-javadoc-2.11.4-2.1.mga9.noarch removing package jackson-databind-2.11.4-2.1.mga9.noarch 1/2: removing jackson-databind-2.11.4-2.1.mga9.noarch ########################################################################################### removing package jackson-databind-javadoc-2.11.4-2.1.mga9.noarch 2/2: removing jackson-databind-javadoc-2.11.4-2.1.mga9.noarch ########################################################################################### writing /var/lib/rpm/installed-through-deps.list The following packages: glibc-devel-2.36-52.mga9.x86_64 jackson-annotations-2.11.4-2.mga9.noarch jackson-core-2.11.4-2.mga9.noarch kernel-userspace-headers-6.6.18-1.mga9.x86_64 lib64xcrypt-devel-4.4.33-3.mga9.x86_64 are now orphaned, if you wish to remove them, you can use "urpme --auto-orphans" LC_ALL=C urpme --auto-orphans --auto removing glibc-devel-2.36-52.mga9.x86_64 jackson-annotations-2.11.4-2.mga9.noarch jackson-core-2.11.4-2.mga9.noarch kernel-userspace-headers-6.6.18-1.mga9.x86_64 lib64xcrypt-devel-4.4.33-3.mga9.x86_64 removing package glibc-devel-6:2.36-52.mga9.x86_64 1/5: removing glibc-devel-6:2.36-52.mga9.x86_64 ########################################################################################### removing package lib64xcrypt-devel-4.4.33-3.mga9.x86_64 2/5: removing lib64xcrypt-devel-4.4.33-3.mga9.x86_64 ########################################################################################### removing package kernel-userspace-headers-6.6.18-1.mga9.x86_64 3/5: removing kernel-userspace-headers-6.6.18-1.mga9.x86_64 ########################################################################################### removing package jackson-core-2.11.4-2.mga9.noarch 4/5: removing jackson-core-2.11.4-2.mga9.noarch ########################################################################################### removing package jackson-annotations-2.11.4-2.mga9.noarch 5/5: removing jackson-annotations-2.11.4-2.mga9.noarch ###########################################################################################
CC: (none) => andrewsfarm
Previous rounds https://bugs.mageia.org/show_bug.cgi?id=25266 were validated in base of clean install Let me know if I made a mistake.
CC: (none) => sysadmin-bugsWhiteboard: (none) => MGA9-64-OKKeywords: (none) => validated_update
(In reply to katnatek in comment 12) Not a mistake; a decision which we often have to make when we reach a dead end.
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2024-0069.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED