Sicherheit: Mehrere Probleme in jackson-dataformat-xml

Lesezeichen hinzufügen

-------------------------------------------------------------------------------
-
Fedora Update Notification
FEDORA-2019-df57551f6d
2019-02-19 13:59:57.021257
-------------------------------------------------------------------------------
-

Name : jackson-dataformat-xml
Product : Fedora 29
Version : 2.9.8
Release : 1.fc29
URL : https://github.com/FasterXML/jackson-dataformat-xml
Summary : Jackson extension component for reading and writing XML encoded
data
Description :
Data format extension for Jackson (http://jackson.codehaus.org)
to offer alternative support for serializing POJOs as XML and
deserializing XML as POJOs. Support implemented on top of Stax API
(javax.xml.stream), by implementing core Jackson Streaming API types
like JsonGenerator, JsonParser and JsonFactory. Some data-binding types
overridden as well (ObjectMapper sub-classed as XmlMapper).

-------------------------------------------------------------------------------
-
Update Information:

Fixes CVE-2018-14718 CVE-2018-14719 CVE-2018-19360 CVE-2018-19361
CVE-2018-19362
CVE-2018-12022 CVE-2018-12023 CVE-2018-14720 CVE-2018-14721 and CVE-2016-7051.
-------------------------------------------------------------------------------
-
ChangeLog:

* Wed Feb 6 2019 Mat Booth <mat.booth@redhat.com> - 2.9.8-1
- Update to latest upstream release
* Fri Feb 1 2019 Fedora Release Engineering <releng@fedoraproject.org> -
2.9.4-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
-------------------------------------------------------------------------------
-
References:

[ 1 ] Bug #1555900 - jackson-datatype-jdk8: FTBFS in F28
https://bugzilla.redhat.com/show_bug.cgi?id=1555900
[ 2 ] Bug #1604397 - jackson-datatype-jdk8: FTBFS in Fedora rawhide
https://bugzilla.redhat.com/show_bug.cgi?id=1604397
[ 3 ] Bug #1671098 - CVE-2018-12022 jackson-databind: improper polymorphic
deserialization of types from Jodd-db library [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1671098
[ 4 ] Bug #1666490 - CVE-2018-19362 jackson-databind: improper polymorphic
deserialization in jboss-common-core class [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1666490
[ 5 ] Bug #1666486 - CVE-2018-19361 jackson-databind: improper polymorphic
deserialization in openjpa class [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1666486
[ 6 ] Bug #1666483 - CVE-2018-19360 jackson-databind: improper polymorphic
deserialization in axis2-transport-jms class [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1666483
[ 7 ] Bug #1666429 - CVE-2018-14721 jackson-databind: server-side request
forgery (SSRF) in axis2-jaxws class [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1666429
[ 8 ] Bug #1666424 - CVE-2018-14720 jackson-databind: exfiltration/XXE in
some JDK classes [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1666424
[ 9 ] Bug #1666419 - CVE-2018-14719 jackson-databind: arbitrary code
execution in blaze-ds-opt and blaze-ds-core classes [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1666419
[ 10 ] Bug #1666416 - CVE-2018-14718 jackson-databind: arbitrary code
execution in slf4j-ext class [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1666416
[ 11 ] Bug #1380206 - CVE-2016-7051 jackson-dataformat-xml: XmlMapper is
vulnerable to SSRF attack [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1380206
[ 12 ] Bug #1672925 - bouncycastle-1.61 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1672925
[ 13 ] Bug #1667118 - CVE-2018-1000873 jackson-datatype-jsr310:
jackson-modules-java8: DoS due to an Improper Input Validation [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1667118
[ 14 ] Bug #1671099 - CVE-2018-12023 jackson-databind: improper polymorphic
deserialization of types from Oracle JDBC driver [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1671099
-------------------------------------------------------------------------------
-

This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2019-df57551f6d' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
-------------------------------------------------------------------------------
-
_______________________________________________
package-announce mailing list -- package-announce@lists.fedoraproject.org
To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org