Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.4601
jackson-databind security update
11 December 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: jackson-databind
Publisher: Debian
Operating System: Debian GNU/Linux 8
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2019-17531 CVE-2019-17267
Reference: ESB-2019.4585
ESB-2019.4324
ESB-2019.3949
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2019/12/msg00013.html
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package : jackson-databind
Version : 2.4.2-2+deb8u10
CVE ID : CVE-2019-17267 CVE-2019-17531
More deserialization flaws were discovered in jackson-databind which
could allow an unauthenticated user to perform remote code execution.
The issue was resolved by extending the blacklist and blocking more
classes from polymorphic deserialization.
For Debian 8 "Jessie", these problems have been fixed in version
2.4.2-2+deb8u10.
We recommend that you upgrade your jackson-databind packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl3v6dJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7
UeTAkQ//T3ec5xV91lcC7u9kGlDDnYEzxlDF9RSiVOXfjI75yPd6vhYBoxHh+OCZ
ifJ5skjUf5dsRHmGtdoLPUcQ3hNu4U7Td7rHh5i9m1rROaKVOfmke/98hCt4H2dh
LHWR6FCK6F6Qi/5EvzTgu1pP2UB+QbWgt8sy3Ria0lU9+K46G967A7JWhODdkeno
Bgjv9L1dB/wvraYfBRBeC3OmvJo9J+gDUKd6Asf/hsodGB1X5CynpxjVu46ejwff
uGnW73K4HZycok8BV2jn+cFE5FQWwNISibX4RcuUOwFv428tkNSxYoED9E9XxaVQ
uBTbjnuTPHxgdyu9+oPJVrGl4mQJmrNwcNgJvgQxqi8AbN/DpmQAwCoc8g3P1Yd6
+9Dl3lmX+NTE43QAGl+bTms/DHy/4VPsPV2qpw65rHKPphQBwKifVTPrXaIuPfRq
2c2Sij8m4wa3MlbYTTIOMtJS8mmd65V+EJlrFk4KeHf08prZjY44K652cJaSPCO4
L5g+WAIPKaLWG5j5hlBtHpIcq+185FwWFBTB3JsACtEiFBzz4Y1Lm0Pi0DU/nhj6
z+43IOC9I4k1t12/ff9mWNrtQNJsEMwhZv/hnbNcIRzyJSpzV22+1aSlcoibTvfg
cb5oERNVAXEjc7g15Kclp5oycS6A4wtUv/uuFQIMSJ2B20cdNPY=
=k6JS
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXfAhGGaOgq3Tt24GAQiGLxAAoR0at4gI3QkucJOJODlYJHK3QnT/OdON
6JwlHlApo6uGViEXNGaW4omMjJu7gtmOd6PPpl1TbMtDzi4pMyZnwHctH/E4za3q
OqAytPPHcAnIxGQj00hFUktkrtJViR+5jBlB/WRlOmshpUWot/y1Wu43lxS9gX1W
To6gZc6Me2Cx3AyrV3twqBP08r91q+YraZ6jcO96jpy8oZmt+ARmQR4bnQ0gr9iF
6JjSAXXWVMnJVf2ZlQweRuPFPDV04SlSMoFo9r+Gp473WLA9lQlasYQfrrhzH+qw
e40U9tzNSJwKuZAV59ALCUG41RGx7pEH8SadGKmXs4NsyflDWJ1yz5fmk2m+aM8B
IDOzG47sux2ruY1s1KYeFoZ0oZP2AV6UwcPZmU7OviY3DzIg9gbH32I9XoxzyOET
u4WN0SoEku7/5RXH6sRmZIhHpkISANw2JkHp1je97K4Z7b3Cq1WuABM6UdqoBsQo
Wdrra8phmvk189Dk5CPTEpw4xE7Nna/Wo8IA7UGklYM8AIpS4U7Pp2d1Kzhgxblp
lbdTWfksPFeGEweIZ5+a8D+aSwNOsN7rNte3AmSKTCMufgxE8WagIX+mU0FkGv1U
gSCnGjKIpvhO0y/ncMc/HWLLgeWUC5gpOj9yIHRi/XCopCZ9p8Z1wU8B1WM9z5qZ
dRKpfe8bKlo=
=tZA+
-----END PGP SIGNATURE-----