-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.1878
                     jackson-databind security update
                                27 May 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           jackson-databind
Publisher:         Debian
Operating System:  Debian GNU/Linux 9
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-12086 CVE-2018-19362 CVE-2018-19361
                   CVE-2018-19360 CVE-2018-14721 CVE-2018-14720
                   CVE-2018-14719 CVE-2018-14718 CVE-2018-12023
                   CVE-2018-12022 CVE-2018-11307 

Reference:         ESB-2019.1827
                   ESB-2019.0674

Original Bulletin: 
   http://www.debian.org/security/2019/dsa-4452

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4452-1                   security@debian.org
https://www.debian.org/security/                       Moritz Muehlenhoff
May 24, 2019                          https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : jackson-databind
CVE ID         : CVE-2018-11307 CVE-2018-12022 CVE-2018-12023 CVE-2018-14718 
                 CVE-2018-14719 CVE-2018-14720 CVE-2018-14721 CVE-2018-19360 
                 CVE-2018-19361 CVE-2018-19362 CVE-2019-12086

Multiple security issues were found in jackson-databind, a Java library
to parse JSON and other data formats which could result in information
disclosure or the execution of arbitrary code.

For the stable distribution (stretch), these problems have been fixed in
version 2.8.6-1+deb9u5.

We recommend that you upgrade your jackson-databind packages.

For the detailed security status of jackson-databind please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/jackson-databind

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlzoWnMACgkQEMKTtsN8
TjYKuA//TDDdI43NQ1mLh+bu0jrQOHZf8QLv/68kHpHe0kMAc92kSkK/k8GojxxZ
u2BmBM8sYp7XzRN1wGfuh04BDnA6t9NdWl5VG/jaL2npubV6GeKa3b1trEol0WRw
WJmwDkrp946XchxJZJyEU9QICaMBU4seDjq2nhSEzJhBiS6dHxh1PkCqpA0xL1iH
yN/ZmSWbgIeZIbFMUiV6SghbXpEEAQjBVzeo7tbWddzDMV7atQdErpfOLoeAiWY3
6ER/AQqulMVaC3odGglzU2OksDfeRN4TIAVKhv7t0Jb6hJkJU3a5TJOe/jvWuNna
b3+psiLU1LHHwlWZuUAbiFx6HZkLj0kxHH1IR9Om42MJ++lCZA78JbxwgfW9JsOH
xbo+334isNCM6P7sdyvxabqwCSWbUFb+6eUR6Hqe9HaTrhWZPln3VL/pwszT7HSA
Ut6RRIUcHu0BdMZZv08dO015j5Gk/a314BAvUQyRejYmM6WNQwwOkNHGp5I66VhA
S284hCKozpttwG3ogDjbzwvCcmzUr757cgn4ACC6nXjfVnxz/u/WeMEAJfoYFPW8
+MKh7SkB1wADYBjgDt/HAG2e1A5GOjrtNO92x0GQ62iIs53iRvct6WmEJr4eQ/7T
n3frp2khA85wvPhz3oj07KMxrnF4yBtrR6TO+eVkZAMp/COnosA=
=PkmH
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXOs9jGaOgq3Tt24GAQi1Jg//fv+C4HQBsSwQqxb3ehjw1wpCaZ+gLR7b
qv4saqB3HwJkYDDKP9RLpO7qE3VN7wGlChf0lQ+KCQXsKLM+7yrA35ovNtS9jBjT
siL2b+1n55xz8SCiPAExG8tuTZXJh/Am29vKguy41qdCR/YcPdr5QnZHF/cI1CZh
17gkM/GcxHKYiyy423Wxopxh7eShv4oVheXji4RyXIwGHmlN5bqX0hFiOeHh/Xrq
SSZYv86BbhvkG96NIIYT8Or8BVhRlKx5TDhQ3SUQFdYWtbImPRyNcbXUGHNkA4wQ
R1C/WLo5mH8xgqVeFfoVBc93CKvVlE/MY1VLbIIVXdysvAHfMhZ5b+DqaB2AC4Vz
imVVNjxvQPqmIeycdLZc6wYg2JOMli8AMVeGiOik/OLqtEEAkP+leVVyWVleUAd9
+NyIq2RIIvPDKDedEdOfCIh38c44BdqpvUwOrZwN+r0M6kFGJ1PAxKDxy8LqHb7T
1s9JfU39S51k/hhBXK4O6XT3Z/K2kWTmVWZ63he3+j2paP+YluFR99zlKAwZf6pv
2cYgOr8HmJhcxnci/mQV4MUGONmFUAMqIIMgTgd0uzb9JV7lpaw+beA71yd9Mp9v
rqIea94nHybmiixheeKv4sgy7aLIJKAdocbIGfQ/3sHil1CIHpr3dBsltXb2CjCE
t2jmtpW+ZFw=
=NjGD
-----END PGP SIGNATURE-----