Your message dated Mon, 12 Aug 2019 23:34:30 +0000 with message-id <e1hxjpe-0001nk...@fasolo.debian.org> and subject line Bug#933393: fixed in jackson-databind 2.9.9.3-1 has caused the Debian Bug report #933393, regarding jackson-databind: CVE-2019-14439 CVE-2019-14379 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 933393: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=933393 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Source: jackson-databind Version: 2.9.8-3 Severity: grave Tags: security upstream Justification: user security hole Hi, The following vulnerabilities were published for jackson-databind. CVE-2019-14361[0]: | block logback/jndi CVE-2019-14379[1]: | SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 | mishandles default typing when ehcache is used, leading to remote code | execution. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2019-14361 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14361 [1] https://security-tracker.debian.org/tracker/CVE-2019-14379 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14379 [2] https://github.com/FasterXML/jackson-databind/issues/2387 [3] https://github.com/FasterXML/jackson-databind/issues/2389 [4] https://github.com/FasterXML/jackson-databind/commit/ad418eeb974e357f2797aef64aa0e3ffaaa6125b Please adjust the affected versions in the BTS as needed. Regards, Salvatore
--- End Message ---
--- Begin Message ---Source: jackson-databind Source-Version: 2.9.9.3-1 We believe that the bug you reported is fixed in the latest version of jackson-databind, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 933...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Markus Koschany <a...@debian.org> (supplier of updated jackson-databind package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 13 Aug 2019 00:26:52 +0200 Source: jackson-databind Architecture: source Version: 2.9.9.3-1 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintain...@lists.alioth.debian.org> Changed-By: Markus Koschany <a...@debian.org> Closes: 933393 Changes: jackson-databind (2.9.9.3-1) unstable; urgency=medium . * Team upload. * New upstream version 2.9.9.3. - Fix CVE-2019-14439 and CVE-2019-14379. Thanks to Salvatore Bonaccorso for the report. (Closes: #933393) * Drop all patches. These are all part of the latest upstream release. * Switch to debhelper-compat = 12. * Declare compliance with Debian Policy 4.4.0. Checksums-Sha1: 337be11b0e35d8a6b768ab935d6870bc2620a258 2702 jackson-databind_2.9.9.3-1.dsc a5c2d279b1103ada639a6dd53c85a0e2e78a975f 1260873 jackson-databind_2.9.9.3.orig.tar.gz 744ea5f9609280cbe2dff5a493228ecf4975b0d4 5236 jackson-databind_2.9.9.3-1.debian.tar.xz 40fb06ce3e028b8ea117bf4b3b8e49c3521f66ea 16682 jackson-databind_2.9.9.3-1_amd64.buildinfo Checksums-Sha256: 7b5cb00f13ad6c946e002e2f5122fb123828e0812bbc6a9d53e0ce65e85f1d38 2702 jackson-databind_2.9.9.3-1.dsc b21b8bd1c0a560b2a4b9b90bfa2a76016d10e014ecc2d38cdccd1e60332606d7 1260873 jackson-databind_2.9.9.3.orig.tar.gz abcd9195032778e6d99cb0c144e01e341437371e3fcc3dd277e8b5f8e9dc69d0 5236 jackson-databind_2.9.9.3-1.debian.tar.xz f46e4fbd23b7f93f5ba1fc8d787a17d343df518ab092396bf8a8da001ed9a74e 16682 jackson-databind_2.9.9.3-1_amd64.buildinfo Files: d84d26410ae9810f3acfdba79035e2cc 2702 java optional jackson-databind_2.9.9.3-1.dsc 56c2584a3731644b5533f5c6e0f50cec 1260873 java optional jackson-databind_2.9.9.3.orig.tar.gz ba27240bab0588bdc2cee6f879212b9d 5236 java optional jackson-databind_2.9.9.3-1.debian.tar.xz f8ecc6e1ba99c0c3d6d075ec00a1be95 16682 java optional jackson-databind_2.9.9.3-1_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAl1R8y5fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp YW4ub3JnAAoJENmtFLlRO1Hk7hUQAMQNYuyFhItv/TbHEgXmtHsZGA1qRU/EXH4t Tnh+KyDgBgHyPy/7NEGEKBbwD+7OkOWUEIY/sSNvLi6QD9bbWcWvA3ZUROzTGyUV hgmCr2hQpMiWIe1hMECFv8x7iOwG4NWD4/rI1gL0rEdlOafmVBFMRu3nTX00vKCE +Md4iwPRItufQ2JrvFWVufcM/thqYyPkp0jW2nvGsxwi7YYc7Nx4KxHEcvgiJmeT 7ziGtb5tILavPmGtiu9FqrYjo0f+ZaRU4zQ3SaxIozbgUKqm+0CKnWEQhXroB2Y1 QoCo11yFPdKHxVKHXpnbPl0Bp/CHLmak+Vz848RQVKihfdLRJnWFSphDC4tthbYI YYcu9DEzxte4i3VtX4ydDOuO1AkNA5GdxkqI0VIPaf4D0lCkjepkiu8zo58UQzp8 jskYv78aIWXCQMRBZDPoaNtL8AQmPWakcO6NtgsCwkAuIzbnoUKxeDWpwRJ7CkgX ys8d6DFyrXu4bWrPYX5M1t8H7gNdRBj4LNC+/IZWFn9Foxc7Bh6mKX3LQ10vPoCS UN5XCEbat048OAY782+7oTX/Tr7yVtJpIjZIswvlUyjW5EX8WEg8hA6AXWpu7n/V K8sFi8DS9nnybKIr9tS1tNfmLEraOG2ukcirC54R8hCse1N/fbwBimIEvRMuFmLb FV7mID7k =icNb -----END PGP SIGNATURE-----
--- End Message ---
