[Git][security-tracker-team/security-tracker][master] Add three jackson-databind issues

Mon, 02 Mar 2020 00:28:15 -0800 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
acc06707 by Salvatore Bonaccorso at 2020-03-02T09:24:50+01:00
Add three jackson-databind issues

Note those will be fixed at some point as well in the 2.10 series, but
with the default beeing safer upstream does not fix those right away in
the master branch and rather only in the older supported branches.

Likely we can mark those as no-dsa for stretch and buster as there is a
constant stream of such issues finding more gadgets to be blocked.

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -4,11 +4,20 @@ CVE-2020-9549 (In PDFResurrect 0.12 through 0.19, get_type in 
pdf.c has an out-o
        - pdfresurrect <unfixed>
        NOTE: https://github.com/enferex/pdfresurrect/issues/8
 CVE-2020-9548 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the 
interact ...)
-       TODO: check
+       - jackson-databind <unfixed>
+       NOTE: https://github.com/FasterXML/jackson-databind/issues/2634
+       NOTE: Starting from 2.10 series mitigated as Safe Default Typing is 
enabled by
+       NOTE: but still an issue when Default Typing is enabled.
 CVE-2020-9547 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the 
interact ...)
-       TODO: check
+       - jackson-databind <unfixed>
+       NOTE: https://github.com/FasterXML/jackson-databind/issues/2634
+       NOTE: Starting from 2.10 series mitigated as Safe Default Typing is 
enabled by
+       NOTE: but still an issue when Default Typing is enabled.
 CVE-2020-9546 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the 
interact ...)
-       TODO: check
+       - jackson-databind <unfixed>
+       NOTE: https://github.com/FasterXML/jackson-databind/issues/2631
+       NOTE: Starting from 2.10 series mitigated as Safe Default Typing is 
enabled by
+       NOTE: but still an issue when Default Typing is enabled.
 CVE-2020-9545 (Pale Moon 28.8.x before 28.8.4 has a segmentation fault related 
to mod ...)
        TODO: check
 CVE-2020-9544



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/acc06707f7a256a6707b5ec0f8a4db50493e4481

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/acc06707f7a256a6707b5ec0f8a4db50493e4481
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to