Operating System:

[Debian]

Published:

03 February 2020

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ESB-2020.0384 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2020.0384
                   libjackson-json-java security update
                              3 February 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           libjackson-json-java
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-10172 CVE-2017-15095 CVE-2017-7525

Reference:         ESB-2018.0549
                   ESB-2017.2956
                   ESB-2017.2662

Original Bulletin: 
   https://www.debian.org/lts/security/2020/dla-2091

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Package        : libjackson-json-java
Version        : 1.9.2-3+deb8u1
CVE ID         : CVE-2017-7525 CVE-2017-15095 CVE-2019-10172


Several vulnerabilities were fixed in libjackson-json-java.

CVE-2017-7525

    Jackson Deserializer security vulnerability.

CVE-2017-15095

    Block more JDK types from polymorphic deserialization.

CVE-2019-10172

    XML external entity vulnerabilities.

For Debian 8 "Jessie", these problems have been fixed in version
1.9.2-3+deb8u1.

We recommend that you upgrade your libjackson-json-java packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS

- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEOvp1f6xuoR0v9F3wiNJCh6LYmLEFAl40oX4ACgkQiNJCh6LY
mLHYsxAAv7d1ES/LUFwRKdAqH63N+5HR4t/d2piQXPXIwH2xEwoKWsQlBHo4+flN
Yw4yywGmBYhIXp7eZy5MMacEKkeYmrD/smEkWcmThqsCiwP62gdajd9YkitBjcfV
k9Is29paIzVgTABvdIHVBSUlH56l8ZADK7wYoyTfjlO7sDBJQtRDwyfgOgQyLmIk
UIDETFShed4LyqaPGD6MyKlCMuL/bwgU9h/gOQBWJp4STBcRXCDPISgogOE3Sifr
wT2FALPBZB6Ufc65e+HAyEmnhzEXC7RRNXqv17MrbEYjhihS6BlOcglqjz0sfnLx
sUjsz0M/jLqe835v6FBbSIzJcDwVELc9Ak1+FJckz2lib6GKLgD/zMkZhQRkbM9m
Cpwh9iLfD7N7qsCClRYPZIh/+fUq7iK5RCNhQ+3WM7VLXTb7uhgKpwGE16+NSMPC
koNL/hBEFALsLNSSJfheCIrxM8WGfqQ489+rt+v1iTyAN4GrGFaU/ZdXKq7udkSb
XKUTmMpbBvOuWEgP4KlbwcrxuQsaaLbxEQad0Ywh536SX+h4vX5uCxs8PJWSWCMm
uOa8uQJjcqodrZsmYXOZo0wcrAfEvRUFXoVKyGBgdQEbEZXAOUU+Yn5LJ1+UUGu5
UCme4a8dmvF8kRdbf1FqhIEqXwAwCtLt0ejI2j66M8kiHmsJyU4=
=tquL
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXjdmOGaOgq3Tt24GAQhn1Q//TrEOi6UB4+79STWfuFhqM4CQIpXg9J4F
O9zQ/4nDyJbTeGDbDBI7IdOsv0XIrH39rCu1P/D5rMKoaC2gBFdn+DmnpRLH76s5
pHbYHFjd4PxGHelZe6h3IefCcEmoCHHaXJmQr1Zd+Sl1AuIohSO98h9uFnq31ip7
/kulbRBo8q2SEYrqa3DgQZy2uxXYjntgBrb+ZdCJ7uvegxEKH3Ls4+LGXcYnfHBI
jICgfIgc5m/rDSRHiPeEaKjLLJsGycHXkI4B6qtXoesvAQiHNAS5bZIkyOiswLMj
drUt09XNtBq6FeCuqUSUpt/Mg7DeDHPRk559qzf01/bevaMCM+1K97E7JVOPibtW
7ijyCQA+uFS14KaP19RAbSOqHD9MWSj4grhFXca+DoNp3myvBho1umaxb8+Vd3NG
BO8qWxc1qBXj4ptuqpX4sMrW8eZ/8UU/pxNM6lsfGoJGVffyOmtP5di06R0eODaj
Cv0c/Z50pytkEcSCvoAn1yFUION7NvjzkyEiKsQn0QFn1CXG4hD0X7KkT6QF/xqd
6cAB7rM7MgANqmP3jTeaZ1sEPRB5dDpNCsyNvvWuRs8RmbMQaGDddwW8Pk78aOw/
sGSGFRDO7I6xfVLwLJm6wa1i2X7ZEALwZOWRWuNQNU9S9yUWd/PrjrhXts+tSaHZ
G5rfjsPAKYw=
=v4bg
-----END PGP SIGNATURE-----