[Bug 1758167] New: jackson-databind: Serialization gadgets in classes of the ehcache package
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1758167
Bug ID: 1758167
Summary: jackson-databind: Serialization gadgets in classes of
the ehcache package
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: psampaio(a)redhat.com
CC: aileenc(a)redhat.com, akoufoud(a)redhat.com,
alazarot(a)redhat.com, almorale(a)redhat.com,
anstephe(a)redhat.com, asoldano(a)redhat.com,
atangrin(a)redhat.com, ataylor(a)redhat.com,
avibelli(a)redhat.com, bbaranow(a)redhat.com,
bbuckingham(a)redhat.com, bcourt(a)redhat.com,
bgeorges(a)redhat.com, bkearney(a)redhat.com,
bmaxwell(a)redhat.com, bmontgom(a)redhat.com,
brian.stansberry(a)redhat.com, btotty(a)redhat.com,
cbyrne(a)redhat.com, cdewolf(a)redhat.com,
chazlett(a)redhat.com, cmacedo(a)redhat.com,
darran.lofthouse(a)redhat.com, dbecker(a)redhat.com,
decathorpe(a)gmail.com, dffrench(a)redhat.com,
dosoudil(a)redhat.com, drieden(a)redhat.com,
drusso(a)redhat.com, eparis(a)redhat.com,
etirelli(a)redhat.com, ganandan(a)redhat.com,
ggaughan(a)redhat.com, hhorak(a)redhat.com,
hhudgeon(a)redhat.com, ibek(a)redhat.com,
iweiss(a)redhat.com, janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jawilson(a)redhat.com, jbalunas(a)redhat.com,
jburrell(a)redhat.com, jjoyce(a)redhat.com,
jmadigan(a)redhat.com, jochrist(a)redhat.com,
jokerman(a)redhat.com, jolee(a)redhat.com,
jorton(a)redhat.com, jpallich(a)redhat.com,
jperkins(a)redhat.com, jschatte(a)redhat.com,
jschluet(a)redhat.com, jshepherd(a)redhat.com,
jstastny(a)redhat.com, kbasil(a)redhat.com,
krathod(a)redhat.com, kverlaen(a)redhat.com,
kwills(a)redhat.com, lef(a)fedoraproject.org,
lgao(a)redhat.com, lhh(a)redhat.com, lpeer(a)redhat.com,
lthon(a)redhat.com, lzap(a)redhat.com,
mat.booth(a)redhat.com, mburns(a)redhat.com,
mkolesni(a)redhat.com, mmccune(a)redhat.com,
mnovotny(a)redhat.com, msochure(a)redhat.com,
msvehla(a)redhat.com, mszynkie(a)redhat.com,
ngough(a)redhat.com, nstielau(a)redhat.com,
nwallace(a)redhat.com, paradhya(a)redhat.com,
pdrozd(a)redhat.com, pgallagh(a)redhat.com,
pmackay(a)redhat.com, psotirop(a)redhat.com,
puntogil(a)libero.it, pwright(a)redhat.com,
rchan(a)redhat.com, rguimara(a)redhat.com,
rhcs-maint(a)redhat.com, rjerrido(a)redhat.com,
rrajasek(a)redhat.com, rruss(a)redhat.com,
rsvoboda(a)redhat.com, rsynek(a)redhat.com,
sclewis(a)redhat.com, scohen(a)redhat.com,
sdaley(a)redhat.com, slinaber(a)redhat.com,
smaestri(a)redhat.com, sponnaga(a)redhat.com,
stewardship-sig(a)lists.fedoraproject.org,
sthorger(a)redhat.com, swoodman(a)redhat.com,
tbrisker(a)redhat.com, tom.jenkinson(a)redhat.com,
trepel(a)redhat.com, trogers(a)redhat.com,
twalsh(a)redhat.com, vhalbert(a)redhat.com
Target Milestone: ---
Classification: Other
A flaw was found in jackson-databind before 2.9.10. New serialization gadgets
were found regarding a class of the ehcache package which may help in
deserialization issues exploit.
Upstream issue:
https://github.com/FasterXML/jackson-databind/issues/2460
Upstream patch:
https://github.com/FasterXML/jackson-databind/commit/191a4cdf87b56d2ddddb...
References:
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-...
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years
[Bug 1775293] New: cve jackson-databind: default typing leads to code execution
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1775293
Bug ID: 1775293
Summary: cve jackson-databind: default typing leads to code
execution
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: darunesh(a)redhat.com
CC: aboyko(a)redhat.com, aileenc(a)redhat.com,
akoufoud(a)redhat.com, alazarot(a)redhat.com,
almorale(a)redhat.com, anstephe(a)redhat.com,
asoldano(a)redhat.com, atangrin(a)redhat.com,
ataylor(a)redhat.com, avibelli(a)redhat.com,
bbaranow(a)redhat.com, bbuckingham(a)redhat.com,
bcourt(a)redhat.com, bgeorges(a)redhat.com,
bkearney(a)redhat.com, bmaxwell(a)redhat.com,
bmontgom(a)redhat.com, brian.stansberry(a)redhat.com,
btotty(a)redhat.com, cbyrne(a)redhat.com,
cdewolf(a)redhat.com, chazlett(a)redhat.com,
cmacedo(a)redhat.com, darran.lofthouse(a)redhat.com,
decathorpe(a)gmail.com, dffrench(a)redhat.com,
dkreling(a)redhat.com, dosoudil(a)redhat.com,
drieden(a)redhat.com, drusso(a)redhat.com,
eparis(a)redhat.com, etirelli(a)redhat.com,
ganandan(a)redhat.com, ggaughan(a)redhat.com,
hhorak(a)redhat.com, hhudgeon(a)redhat.com,
ibek(a)redhat.com, iweiss(a)redhat.com,
janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jawilson(a)redhat.com, jbalunas(a)redhat.com,
jburrell(a)redhat.com, jmadigan(a)redhat.com,
jochrist(a)redhat.com, jokerman(a)redhat.com,
jorton(a)redhat.com, jpallich(a)redhat.com,
jperkins(a)redhat.com, jshepherd(a)redhat.com,
jstastny(a)redhat.com, krathod(a)redhat.com,
kverlaen(a)redhat.com, kwills(a)redhat.com,
lef(a)fedoraproject.org, lgao(a)redhat.com,
lthon(a)redhat.com, lzap(a)redhat.com,
mat.booth(a)redhat.com, mmccune(a)redhat.com,
mnovotny(a)redhat.com, msochure(a)redhat.com,
msvehla(a)redhat.com, mszynkie(a)redhat.com,
ngough(a)redhat.com, nstielau(a)redhat.com,
nwallace(a)redhat.com, paradhya(a)redhat.com,
pdrozd(a)redhat.com, pgallagh(a)redhat.com,
pmackay(a)redhat.com, psotirop(a)redhat.com,
puntogil(a)libero.it, pwright(a)redhat.com,
rchan(a)redhat.com, rguimara(a)redhat.com,
rhcs-maint(a)redhat.com, rjerrido(a)redhat.com,
rrajasek(a)redhat.com, rruss(a)redhat.com,
rsvoboda(a)redhat.com, rsynek(a)redhat.com,
sdaley(a)redhat.com, smaestri(a)redhat.com,
sokeeffe(a)redhat.com, sponnaga(a)redhat.com,
stewardship-sig(a)lists.fedoraproject.org,
sthorger(a)redhat.com, swoodman(a)redhat.com,
tbrisker(a)redhat.com, tom.jenkinson(a)redhat.com,
trepel(a)redhat.com, trogers(a)redhat.com,
twalsh(a)redhat.com
Target Milestone: ---
Classification: Other
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0
through 2.9.10. When Default Typing is enabled (either globally or for a
specific property) for an externally exposed JSON endpoint and the service has
the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker
can provide a JNDI service to access, it is possible to make the service
execute a malicious payload.
Reference:
https://github.com/FasterXML/jackson-databind/issues/2498
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years
[Bug 1690417] New: Newer version of plantuml available 1.2019.3
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1690417
Bug ID: 1690417
Summary: Newer version of plantuml available 1.2019.3
Product: Fedora
Version: rawhide
Hardware: All
OS: All
Status: NEW
Component: plantuml
Severity: medium
Assignee: jsafrane(a)redhat.com
Reporter: elavarde(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
jsafrane(a)redhat.com, puntogil(a)libero.it
Target Milestone: ---
Classification: Fedora
Description of problem:
The current packaged version of plantuml is 8033 and roughly 2 years old. Since
then there is a newer version 1.2019.3 and it would be nice to get it packaged.
Version-Release number of selected component (if applicable):
plantuml-8033-8.fc29.noarch
Additional info:
While you're packaging, two things to consider:
- the package must depend on graphviz to work (else it fails on missing `dot`)
- the Language Reference Guide should be packaged as well
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 2 months