Sigurnosni nedostaci programskog paketa jackson

Detalji os-a: WN7
Važnost: IMP
Operativni sustavi: L
Kategorije: LFE

——————————————————————————–
Fedora Update Notification
FEDORA-2019-df57551f6d
2019-02-19 13:59:57.021257
——————————————————————————–

Name : jackson-annotations
Product : Fedora 29
Version : 2.9.8
Release : 1.fc29
URL : https://github.com/FasterXML/jackson-annotations/
Summary : Core annotations for Jackson data processor
Description :
Core annotations used for value types,
used by Jackson data-binding package.

——————————————————————————–
Update Information:

Fixes CVE-2018-14718 CVE-2018-14719 CVE-2018-19360 CVE-2018-19361 CVE-2018-19362
CVE-2018-12022 CVE-2018-12023 CVE-2018-14720 CVE-2018-14721 and CVE-2016-7051.
——————————————————————————–
ChangeLog:

* Wed Feb 6 2019 Mat Booth <mat.booth@redhat.com> – 2.9.8-1
– Update to latest upstream release
* Fri Feb 1 2019 Fedora Release Engineering <releng@fedoraproject.org> – 2.9.4-4
– Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
——————————————————————————–
References:

[ 1 ] Bug #1555900 – jackson-datatype-jdk8: FTBFS in F28
https://bugzilla.redhat.com/show_bug.cgi?id=1555900
[ 2 ] Bug #1604397 – jackson-datatype-jdk8: FTBFS in Fedora rawhide
https://bugzilla.redhat.com/show_bug.cgi?id=1604397
[ 3 ] Bug #1671098 – CVE-2018-12022 jackson-databind: improper polymorphic deserialization of types from Jodd-db library [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1671098
[ 4 ] Bug #1666490 – CVE-2018-19362 jackson-databind: improper polymorphic deserialization in jboss-common-core class [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1666490
[ 5 ] Bug #1666486 – CVE-2018-19361 jackson-databind: improper polymorphic deserialization in openjpa class [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1666486
[ 6 ] Bug #1666483 – CVE-2018-19360 jackson-databind: improper polymorphic deserialization in axis2-transport-jms class [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1666483
[ 7 ] Bug #1666429 – CVE-2018-14721 jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1666429
[ 8 ] Bug #1666424 – CVE-2018-14720 jackson-databind: exfiltration/XXE in some JDK classes [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1666424
[ 9 ] Bug #1666419 – CVE-2018-14719 jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1666419
[ 10 ] Bug #1666416 – CVE-2018-14718 jackson-databind: arbitrary code execution in slf4j-ext class [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1666416
[ 11 ] Bug #1380206 – CVE-2016-7051 jackson-dataformat-xml: XmlMapper is vulnerable to SSRF attack [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1380206
[ 12 ] Bug #1672925 – bouncycastle-1.61 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1672925
[ 13 ] Bug #1667118 – CVE-2018-1000873 jackson-datatype-jsr310: jackson-modules-java8: DoS due to an Improper Input Validation [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1667118
[ 14 ] Bug #1671099 – CVE-2018-12023 jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1671099
——————————————————————————–

This update can be installed with the “dnf” update program. Use
su -c ‘dnf upgrade –advisory FEDORA-2019-df57551f6d’ at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
——————————————————————————–
_______________________________________________
package-announce mailing list — package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org

Name : jackson-dataformat-xml
Product : Fedora 29
Version : 2.9.8
Release : 1.fc29
URL : https://github.com/FasterXML/jackson-dataformat-xml
Summary : Jackson extension component for reading and writing XML encoded data
Description :
Data format extension for Jackson (http://jackson.codehaus.org)
to offer alternative support for serializing POJOs as XML and
deserializing XML as POJOs. Support implemented on top of Stax API
(javax.xml.stream), by implementing core Jackson Streaming API types
like JsonGenerator, JsonParser and JsonFactory. Some data-binding types
overridden as well (ObjectMapper sub-classed as XmlMapper).

——————————————————————————–
Update Information:

Name : jackson-bom
Product : Fedora 29
Version : 2.9.8
Release : 1.fc29
URL : https://github.com/FasterXML/jackson-bom
Summary : Bill of materials POM for Jackson projects
Description :
A “bill of materials” POM for Jackson dependencies.

——————————————————————————–
Update Information:

Name : jackson-core
Product : Fedora 29
Version : 2.9.8
Release : 1.fc29
URL : https://github.com/FasterXML/jackson-core/
Summary : Core part of Jackson
Description :
Core part of Jackson that defines Streaming API as well
as basic shared abstractions.

——————————————————————————–
Update Information:

Name : jackson-databind
Product : Fedora 29
Version : 2.9.8
Release : 1.fc29
URL : https://github.com/FasterXML/jackson-databind/
Summary : General data-binding package for Jackson (2.x)
Description :
The general-purpose data-binding functionality and tree-model for Jackson Data
Processor. It builds on core streaming parser/generator package, and uses
Jackson Annotations for configuration.

——————————————————————————–
Update Information:

* Wed Feb 6 2019 Mat Booth <mat.booth@redhat.com> – 2.9.8-1
– Update to latest upstream release, fixes CVE-2018-14718 CVE-2018-147189
CVE-2018-19360 CVE-2018-19361 CVE-2018-19362 CVE-2018-12022 CVE-2018-12023
CVE-2018-14720 CVE-2018-14721
* Fri Feb 1 2019 Fedora Release Engineering <releng@fedoraproject.org> – 2.9.4-5
– Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
——————————————————————————–
References:

Name : jackson-datatypes-collections
Product : Fedora 29
Version : 2.9.8
Release : 1.fc29
URL : https://github.com/FasterXML/jackson-datatypes-collections
Summary : Jackson datatypes: collections
Description :
This is a multi-module umbrella project for various Jackson
Data-type modules to support 3rd party Collection libraries.

Currently included are:
* Guava data-type
* HPPC data-type
* PCollections data-type

——————————————————————————–
Update Information:

* Wed Feb 6 2019 Mat Booth <mat.booth@redhat.com> – 2.9.8-1
– Update to latest upstream release
* Fri Feb 1 2019 Fedora Release Engineering <releng@fedoraproject.org> – 2.9.4-5
– Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
——————————————————————————–
References:

Name : jackson-jaxrs-providers
Product : Fedora 29
Version : 2.9.8
Release : 1.fc29
URL : https://github.com/FasterXML/jackson-jaxrs-providers
Summary : Jackson JAX-RS providers
Description :
This is a multi-module project that contains Jackson-based JAX-RS providers for
following data formats: JSON, Smile (binary JSON), XML, CBOR (another kind of
binary JSON), YAML.

——————————————————————————–
Update Information:

Name : jackson-dataformats-binary
Product : Fedora 29
Version : 2.9.8
Release : 1.fc29
URL : https://github.com/FasterXML/jackson-dataformats-binary
Summary : Jackson standard binary data format backends
Description :
Parent pom for Jackson binary dataformats.

——————————————————————————–
Update Information:

Name : jackson-datatype-joda
Product : Fedora 29
Version : 2.9.8
Release : 1.fc29
URL : http://wiki.fasterxml.com/JacksonModuleJoda
Summary : Add-on module for Jackson to support Joda data-types
Description :
This is a Jackson module that aims to provide
full support for data types of Joda date-time
library.

——————————————————————————–
Update Information:

Name : jackson-dataformats-text
Product : Fedora 29
Version : 2.9.8
Release : 1.fc29
URL : https://github.com/FasterXML/jackson-dataformats-text
Summary : Jackson standard text-format data format backends
Description :
Parent pom for Jackson text-format dataformats.

——————————————————————————–
Update Information:

Name : jackson-modules-base
Product : Fedora 29
Version : 2.9.8
Release : 1.fc29
URL : https://github.com/FasterXML/jackson-modules-base
Summary : Jackson modules: Base
Description :
Jackson “base” modules: modules that build directly on databind,
and are not data-type, data format, or JAX-RS provider modules.

——————————————————————————–
Update Information:

* Wed Feb 6 2019 Mat Booth <mat.booth@redhat.com> – 2.9.8-1
– Update to latest upstream release
* Fri Feb 1 2019 Fedora Release Engineering <releng@fedoraproject.org> – 2.9.4-6
– Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Fri Jan 11 2019 Mat Booth <mat.booth@redhat.com> – 2.9.4-5
– Avoid running test that fails since Mockito 2.x
——————————————————————————–
References:

Name : jackson-parent
Product : Fedora 29
Version : 2.9.1.2
Release : 1.fc29
URL : https://github.com/FasterXML/jackson-parent
Summary : Parent pom for all Jackson components
Description :
Project for parent pom for all Jackson components.

——————————————————————————–
Update Information:

* Wed Feb 6 2019 Mat Booth <mat.booth@redhat.com> – 2.9.1.2-1
– Update to latest upstream release
* Fri Feb 1 2019 Fedora Release Engineering <releng@fedoraproject.org> – 2.9.1-4
– Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
——————————————————————————–
References:

Name : jackson-datatype-jdk8
Product : Fedora 29
Version : 2.9.8
Release : 1.fc29
URL : https://github.com/FasterXML/jackson-modules-java8
Summary : Jackson module that adds supports for JDK 8 data types
Description :
Java 8 Datatypes: support for other new Java 8 data types outside of
date/time: most notably Optional, OptionalLong, OptionalDouble.

——————————————————————————–
Update Information:

* Wed Feb 6 2019 Mat Booth <mat.booth@redhat.com> – 2.9.8-1
– Update to latest upstream release
* Fri Feb 1 2019 Fedora Release Engineering <releng@fedoraproject.org> – 2.7.6-7
– Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Fri Jul 13 2018 Fedora Release Engineering <releng@fedoraproject.org> – 2.7.6-6
– Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Wed Feb 7 2018 Fedora Release Engineering <releng@fedoraproject.org> – 2.7.6-5
– Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
——————————————————————————–
References:

Name : jackson-module-jsonSchema
Product : Fedora 29
Version : 2.9.8
Release : 1.fc29
URL : https://github.com/FasterXML/jackson-module-jsonSchema
Summary : Jackson JSON Schema Module
Description :
Add-on module for to support JSON Schema version 3 generation.

——————————————————————————–
Update Information:

Autor	Toni Vugdelija
Cert id	NCERT-REF-2019-02-0001-ADV
Cve	CERT-CVE-DUMMY
ID izvornika	CERT-ORIGID-DUMMY
Proizvod	CERT-DUMMY-PRODUCT
Izvor	Adobe

Sigurnosni nedostaci programskog paketa jackson

Archives

More in Preporuke

Sigurnosni nedostaci programskog paketa Mozilla Firefox