Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2280 jackson-databind security update 2 July 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: jackson-databind Publisher: Debian Operating System: Debian GNU/Linux 8 UNIX variants (UNIX, Linux, OSX) Impact/Access: Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-14195 CVE-2020-14062 CVE-2020-14061 CVE-2020-14060 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Package : jackson-databind Version : 2.4.2-2+deb8u15 CVE ID : CVE-2020-14060 CVE-2020-14061 CVE-2020-14062 CVE-2020-14195 There were several CVE(s) reported against src:jackson-databind, which are as follows: CVE-2020-14060 FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill). CVE-2020-14061 FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms). CVE-2020-14062 FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2). CVE-2020-14195 FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity). For Debian 8 "Jessie", these problems have been fixed in version 2.4.2-2+deb8u15. We recommend that you upgrade your jackson-databind packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEEbJ0QSEqa5Mw4X3xxgj6WdgbDS5YFAl78gX4ACgkQgj6WdgbD S5YhORAAq6gCqbqsEZ/IS5TaXakuq0UVo4aqOs4I+QCH5izQEFadxLqDtQQGThyI zhZiTMxyfkW0guWAcrEJHgoMVXIrD5/cM4dh2bB/PPS5bdg8iDvCj4hkDh4ruRL2 393u6ybsLdS1mnX6iY69SxUuYUEy/DQHbOLFeUXgXve9oRwqwEPtmtJGkdwIsnkg CUeHQvKkpvhzk7Kh3yXL5QaE4vwuRBGdXl2AcXT6SkYrNq8kSd58M2fYN5t5KMxy QX+oawvJ9eCedeOMgqXvX2cohI4XoCjnnN8IWV9O4spvUae29Qyedm4nyBLOdZho sNi4kSxPE8A9k9DTl6jS9qD5MqssBwmMgQUfq4oym7zVOyIxFwZfcV7dNwDjTIiC lOe0tmeQPUEq0h4z8nCxP85jI03y/nrS7SIGYFljYMtZq+UmuCCk6hl92kyV7BMX 9r1wwbaatJV1lzpHOYFqpuIPbaN8l8vp2f+kVrQxCq5HafKOlI+O8l0Yy6P5C1mz 9stB5i0dpD7RJ/EPNA4iLegr/T1+crJiLMMBDy6u7o/TWeHnIbezkamwFS7EYfTg HSkonNvnPaJxkDjZ3F6/GBY0Dv/kjm/dckZCY9Hm5vg9as02bswa6/UBMTCKnG0G 2++Eb+b3R+7uAGXDK56wCSIUQclJKFIr/98+GsoSAxuttugEqRQ= =b5jY - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXv1XAuNLKJtyKPYoAQjIDg/+PyTPiZEUW0IfAMfeBC48CngO76I3l75t BJMAoZN1pytyscDxPNf6pOY1Pby2XhAzjyuOYCIWx2ePo67jpKwYT7B7kVOKMlI/ R8xMkUHlDPCbHUBj4XVLS0U0Zn+lX+IQcsPPmywVpsCHzdIL21AG8d4bpkTD4Pjf cBTUZh1R8h+KQ+VHmD1tDf0ByR+tuwuNiC8RIFJPteH218b6nwPD7D4ffUhv4Vym 44Z25CpUKUEJhI7R3bp/975hTLJcdw940pCdk0GZpZ51jZPn12KQAYmY/mjXtoDD xzNBTysQLK4pzc4exSiN4s9Y9t8+1fl6mFN32IxB8PAhQD8kP0eMroG1bCM8WTDg HncMQ5TSjKNYD7CbAbFkd7FLpZ3jpJnLdQ7EeMXupryMtL7Xz9AHxeIGM+/RPDfp Dy63/eDViH/tBfRHsdMjDDuqmEN6CzbjSiHlrVe24y8YJR9c8Pjow+uz8Oi1UpX0 xDEMK7qgytNCctQnZdQfPypwu9N0KDv15yOHe9HzV7zhCGQ+AzPll5qPBWmZvxog 6Ej1u5r/1Bbue46xnJr93qrFXdkfb+VFrl10Jh4necPxki68HI6z5XobAn9FApt9 JEfW/OG4xbdUt1BaI14h80QaVsdrA0i0uu6BEEQWLSrlNqOOIFSP1Pz8WpnYYIJ7 e6aaotdJ2ug= =eO4S -----END PGP SIGNATURE-----