On Jan/27, Markus Koschany wrote: > I have prepared security updates of jackson-databind for Stretch and > Jessie and would appreciate another look at the patches. > > The fix for CVE-2018-5968 is straightforward. The blacklist is simply > extended. > > However upstream decided to refactor the code for CVE-2017-17485 and I > decided to apply the changes to BeanDeserializerFactory.java again > instead of using the new helper class SubTypeValidator. Here is my > thought process how to create the patch based on the solution in > upstream bug 1855 [1] > > 1. Extend the blacklist. [2] > 2. Instead of creating a new method validateSubType, I copied the fix > into checkIllegalTypes in BeanDeserializerFactory again.[3] The behavior > remains the same. This code catches some specific cases for the spring > framework. > 3. I also applied the regression fix in [4] (also mentioned in bug 1855) > 4. I believe that [5] only applies to the refactored code and since we > don't use that it is irrelevant for us.
Hi Markus, thanks a lot for patches. I've reviewed them, and your approach is sound: please upload. Cheers, --Seb
signature.asc
Description: PGP signature
