Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.3722 jackson-databind security update 4 October 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: jackson-databind Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2019-16943 CVE-2019-16942 CVE-2019-16335 CVE-2019-14540 Original Bulletin: https://lists.debian.org/debian-lts-announce/2019/10/msg00001.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : jackson-databind Version : 2.4.2-2+deb8u9 CVE ID : CVE-2019-14540 CVE-2019-16335 CVE-2019-16942 CVE-2019-16943 Debian Bug : 940498 941530 More deserialization flaws were discovered in jackson-databind relating to the classes in com.zaxxer.hikari.HikariConfig, com.zaxxer.hikari.HikariDataSource, commons-dbcp and com.p6spy.engine.spy.P6DataSource, which could allow an unauthenticated user to perform remote code execution. The issue was resolved by extending the blacklist and blocking more classes from polymorphic deserialization. For Debian 8 "Jessie", these problems have been fixed in version 2.4.2-2+deb8u9. We recommend that you upgrade your jackson-databind packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQKTBAEBCgB9FiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl2VKUpfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQACgkQ2a0UuVE7 UeQVtA//W6ZHx4bRdGm9QLpcZziBwUScasGw+IZGoa6K8RGo33IZyciVTXeTsLRO WZrS4wRu1Z5U84pOlP6XkXnarty4r1NtdtSRR82OOiXuY++rIYj8VNvPhtEljApT udw9onmDk7KIvvY9yhXpqjtgU+mKHs41sKM2Y4T5QHOIk62oTZY0Jtzf/EtSWRO6 xmYB/UHOXcXnB8uypd/fkx8NsAngQzJiqmK2Ongx27lca+BaPWRSoVKZo0HYCu4M PvzVvCiL8VlbiptvA3OCGJG2K0a/M51hUr4pwznnMtU0OVq1DS173KFtwzcDLk6a zWkXQyRFrjL6FuEQ6volExhklRzk65Ghjf7XT7xzJYkcizb741yfznuDl6umyM2w lUtA6DW1peXEtA8Y7Szg7mUlGxipdFx+L1MrIA9AJJWpkNnf2OG4v2Gzo/0bYgHu hzbhwOaXPu8DKyiYlNV87zMkPdknfDjp8P2CmwLYhrDkKxfD5JNdjrTuTxM2uMqK FCCHUHlUyxzY0gr7i0k9v94AURm33B5+7iyQ9nJ3sGwZNDL/CyhwoI3JtMuOvRVE kZ2fmZQK33OVpbQUSadRdJ7t0ZIt7EgYPq/eg2L7b1lIWLYiapNfy41XOFX7KvWr 4QbEEZtWRtYor4e4WaJbKGn3R9qa1DvD4qH6h2ukTsovJZGE030= =wObA - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXZZ3nWaOgq3Tt24GAQgPAw/9FTi+gr3QJ/+7kCX4VjBD3pJdUU/B2l5I Wdfj9MTimTmLElfY7TAnWIvxUuugtsdYRDZG4D66EDltxjwWanvNsoYqCyaBwjQ+ CbwwjRZxImCP+7aDBY+yP/3sb1AyWsflWV7CDlz0w+kSEbnfEhfUXSouW1zsv1mJ TpCm/x1dsKqhV5r++X9bCCOx7BvsOU2CJvhIgv4zEDv8cuwSSBBL+2ukO8DTQ/Hx OqsdOAhgvXWAitwdrEkf5037ZrXWwSSkxVEYRI74wi9ubJFMTV8305v0YbSZujr1 UhZI0CaJFp3E6yRKj6f2Ul4tOitJfithQTYhfNwSD08EAbMM34rGwhzx+VJX1YBE 2KRIM4sTTkx2XjVSn8fcep845LyZ3wQ3QwCXw3zS6esxvPydr0tWMUupTeZpY7pM +teJXno5RgJDbLzWNYl0mYJq3+QXwVIvSceZ02U6rF+PMnMLUvf0iigmrs4BZfHd btYDJkuzy9CUPYzP+49YVwHtogsPeGavMKbuUc8OjgAhXrvf9lEFeIfm0e9zRQuH 0DeoWC59p2t7az6/VqGdSueEl0/ev5xniGIYQfsl4SjpeLXhsDZhG2enYNrDPCcW PmRxyhZoNKrxIzU7C7aKPjpTvbFA2S7IHvPRhm58PgUfpuJQdCJ06CNZPsKIY5lb Or1f3q7guUw= =iSQz -----END PGP SIGNATURE-----