On Wed, Jan 24, 2018 at 11:11:13PM +0100, Salvatore Bonaccorso wrote: > Source: jackson-databind > Version: 2.9.1-1 > Severity: grave > Tags: security upstream > Forwarded: https://github.com/FasterXML/jackson-databind/issues/1855 > > Hi, > > the following vulnerability was published for jackson-databind. > > CVE-2017-17485[0]: > | FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 > | allows unauthenticated remote code execution because of an incomplete > | fix for the CVE-2017-7525 deserialization flaw. This is exploitable by > | sending maliciously crafted JSON input to the readValue method of the > | ObjectMapper, bypassing a blacklist that is ineffective if the Spring > | libraries are available in the classpath. > > Please note in the security-tracker we initially marked this issue as > not-affected, since Red Hat claimed in [2] that it was a incomplete > fix specific to some Red Hat packages. > Could you double-check this and in case this bug was wronly open > report back? But it looks that the corresponding changes would as well > be missing from the Debian package.
>From a quick skimm over the applied patches in stable I would say we missed those as well. Regards, Salvatore
