Remote code execution in jackson-databind, Hacker News

• To:[email protected]
• Subject: [SECURITY] [DSA 4542-1] jackson-databind security update
• From: Sebastien [email protected]

>

• Date: Sun, (Oct) 08: 28: 37 0000
• Message-id:[🔎]E1iH1u9- 00048 [email protected]>
• Reply-to:
• [email protected]

----- BEGIN PGP SIGNED MESSAGE ----- Hash: SHA 512  - ------------------------------------------------- ------------------------ Debian Security Advisory DSA - 4542 - 1 [email protected]https://www.debian.org/security/Sebastien Delafond October 06, 2019https://www.debian.org/security/faq- ------------------------------------------------- ------------------------  Package: jackson-databind CVE ID: CVE - 2019 - 12384 CVE - 2019 - 14439 CVE - 2019 - 14540 CVE - 2019 - 16335                  CVE - 2019 - 16942 CVE - 2019 - 16943 Debian Bug: 941530  933393 930750  It was discovered that jackson-databind, a Java library used to parse JSON and other data formats, did not properly validate user input before attempting deserialization. This allowed an attacker providing maliciously crafted input to perform code execution, or read arbitrary files on the server.  For the oldstable distribution (stretch), these problems have been fixed in version 2.8.6-1   deb9u6.  For the stable distribution (buster), these problems have been fixed in version 2.9.8-3   deb 10 u1.  We recommend that you upgrade your jackson-databind packages.  For the detailed security status of jackson-databind please refer to its security tracker page at:https://security-tracker.debian.org/tracker/jackson-databindFurther information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at:https://www.debian.org/security/Mailing list: [email protected] ----- BEGIN PGP SIGNATURE -----  iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg / PVnWQFAl2ZpPgACgkQEL6Jg / PV nWTg1QgArRk3fUf / k 14 rPha6GlJnWtRu2tZli 07 NzxtebAI2Ra8vKHkv1F3xSBjx tnauaRmJXonoU7t1TU  (O / F7xkxX)  NXym3YyrJ4   5ac6OtGmstSkMW1CmEiS8Z7 RaQQqY8GTJe5VTjiPon   lvdxyoFIDbp3nUGj8sshrULtKQX3Bjc9dotXyu0M3 / 7o QjsFAOLpytx / nMS1O 93 rqHuO 381 plbaAi5EYgAPv 737 tV8lVH3li 56 FYTKRMVjEg BkBpkaDGWhqoYvTu4WviyCyon0V5PgtHuD8SkN / 39 QqiYoDCzfa0xPjZ3a 44 G0kR C6qF8E4WIw 465 wLrRLCuuybG6 / ZrzA===Gifd ----- END PGP SIGNATURE -----

Reply to:

• [email protected]

  

• >Sebastien Delafond (on-list)

  

• Sebastien Delafond (off-list)

• Prev by Date:[SECURITY] [DSA 4541-1] libapreq2 security update
• Previous by thread:[SECURITY] [DSA 4541-1] libapreq2 security update
• Index (es):
  • (Date
  • (Thread) ************************** ()