[Bug 1758191] New: CVE-2019-16943 jackson-databind: Serialization gadgets in classes of the commons-dbcp package
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1758191
Bug ID: 1758191
Summary: CVE-2019-16943 jackson-databind: Serialization gadgets
in classes of the commons-dbcp package
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: psampaio(a)redhat.com
CC: aileenc(a)redhat.com, akoufoud(a)redhat.com,
alazarot(a)redhat.com, almorale(a)redhat.com,
anstephe(a)redhat.com, asoldano(a)redhat.com,
atangrin(a)redhat.com, ataylor(a)redhat.com,
avibelli(a)redhat.com, bbaranow(a)redhat.com,
bbuckingham(a)redhat.com, bcourt(a)redhat.com,
bgeorges(a)redhat.com, bkearney(a)redhat.com,
bmaxwell(a)redhat.com, bmontgom(a)redhat.com,
brian.stansberry(a)redhat.com, btotty(a)redhat.com,
cbyrne(a)redhat.com, cdewolf(a)redhat.com,
chazlett(a)redhat.com, cmacedo(a)redhat.com,
darran.lofthouse(a)redhat.com, dbecker(a)redhat.com,
decathorpe(a)gmail.com, dffrench(a)redhat.com,
dosoudil(a)redhat.com, drieden(a)redhat.com,
drusso(a)redhat.com, eparis(a)redhat.com,
etirelli(a)redhat.com, ganandan(a)redhat.com,
ggaughan(a)redhat.com, hhorak(a)redhat.com,
hhudgeon(a)redhat.com, ibek(a)redhat.com,
iweiss(a)redhat.com, janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jawilson(a)redhat.com, jbalunas(a)redhat.com,
jburrell(a)redhat.com, jjoyce(a)redhat.com,
jmadigan(a)redhat.com, jochrist(a)redhat.com,
jokerman(a)redhat.com, jolee(a)redhat.com,
jorton(a)redhat.com, jpallich(a)redhat.com,
jperkins(a)redhat.com, jschatte(a)redhat.com,
jschluet(a)redhat.com, jshepherd(a)redhat.com,
jstastny(a)redhat.com, kbasil(a)redhat.com,
krathod(a)redhat.com, kverlaen(a)redhat.com,
kwills(a)redhat.com, lef(a)fedoraproject.org,
lgao(a)redhat.com, lhh(a)redhat.com, lpeer(a)redhat.com,
lthon(a)redhat.com, lzap(a)redhat.com,
mat.booth(a)redhat.com, mburns(a)redhat.com,
mkolesni(a)redhat.com, mmccune(a)redhat.com,
mnovotny(a)redhat.com, msochure(a)redhat.com,
msvehla(a)redhat.com, mszynkie(a)redhat.com,
ngough(a)redhat.com, nstielau(a)redhat.com,
nwallace(a)redhat.com, paradhya(a)redhat.com,
pdrozd(a)redhat.com, pgallagh(a)redhat.com,
pmackay(a)redhat.com, psotirop(a)redhat.com,
puntogil(a)libero.it, pwright(a)redhat.com,
rchan(a)redhat.com, rguimara(a)redhat.com,
rhcs-maint(a)redhat.com, rjerrido(a)redhat.com,
rrajasek(a)redhat.com, rruss(a)redhat.com,
rsvoboda(a)redhat.com, rsynek(a)redhat.com,
sclewis(a)redhat.com, scohen(a)redhat.com,
sdaley(a)redhat.com, slinaber(a)redhat.com,
smaestri(a)redhat.com, sponnaga(a)redhat.com,
stewardship-sig(a)lists.fedoraproject.org,
sthorger(a)redhat.com, swoodman(a)redhat.com,
tbrisker(a)redhat.com, tom.jenkinson(a)redhat.com,
trepel(a)redhat.com, trogers(a)redhat.com,
twalsh(a)redhat.com, vhalbert(a)redhat.com
Target Milestone: ---
Classification: Other
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0
through 2.9.10. When Default Typing is enabled (either globally or for a
specific property) for an externally exposed JSON endpoint and the service has
the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service
endpoint to access, it is possible to make the service execute a malicious
payload. This issue exists because of com.p6spy.engine.spy.P6DataSource
mishandling.
Upstream issue:
https://github.com/FasterXML/jackson-databind/issues/2478
Upstream patch:
https://github.com/FasterXML/jackson-databind/commit/bc67eb11a7cf57561f86...
https://github.com/FasterXML/jackson-databind/commit/328a0f833daf6baa443a...
https://github.com/FasterXML/jackson-databind/commit/54aa38d87dcffa5ccc23...
References:
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-...
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 9 months
[Bug 1758187] New: CVE-2019-16942 jackson-databind: Serialization gadgets in classes of the commons-dbcp package
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1758187
Bug ID: 1758187
Summary: CVE-2019-16942 jackson-databind: Serialization gadgets
in classes of the commons-dbcp package
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: psampaio(a)redhat.com
CC: aileenc(a)redhat.com, akoufoud(a)redhat.com,
alazarot(a)redhat.com, almorale(a)redhat.com,
anstephe(a)redhat.com, asoldano(a)redhat.com,
atangrin(a)redhat.com, ataylor(a)redhat.com,
avibelli(a)redhat.com, bbaranow(a)redhat.com,
bbuckingham(a)redhat.com, bcourt(a)redhat.com,
bgeorges(a)redhat.com, bkearney(a)redhat.com,
bmaxwell(a)redhat.com, bmontgom(a)redhat.com,
brian.stansberry(a)redhat.com, btotty(a)redhat.com,
cbyrne(a)redhat.com, cdewolf(a)redhat.com,
chazlett(a)redhat.com, cmacedo(a)redhat.com,
darran.lofthouse(a)redhat.com, dbecker(a)redhat.com,
decathorpe(a)gmail.com, dffrench(a)redhat.com,
dosoudil(a)redhat.com, drieden(a)redhat.com,
drusso(a)redhat.com, eparis(a)redhat.com,
etirelli(a)redhat.com, ganandan(a)redhat.com,
ggaughan(a)redhat.com, hhorak(a)redhat.com,
hhudgeon(a)redhat.com, ibek(a)redhat.com,
iweiss(a)redhat.com, janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jawilson(a)redhat.com, jbalunas(a)redhat.com,
jburrell(a)redhat.com, jjoyce(a)redhat.com,
jmadigan(a)redhat.com, jochrist(a)redhat.com,
jokerman(a)redhat.com, jolee(a)redhat.com,
jorton(a)redhat.com, jpallich(a)redhat.com,
jperkins(a)redhat.com, jschatte(a)redhat.com,
jschluet(a)redhat.com, jshepherd(a)redhat.com,
jstastny(a)redhat.com, kbasil(a)redhat.com,
krathod(a)redhat.com, kverlaen(a)redhat.com,
kwills(a)redhat.com, lef(a)fedoraproject.org,
lgao(a)redhat.com, lhh(a)redhat.com, lpeer(a)redhat.com,
lthon(a)redhat.com, lzap(a)redhat.com,
mat.booth(a)redhat.com, mburns(a)redhat.com,
mkolesni(a)redhat.com, mmccune(a)redhat.com,
mnovotny(a)redhat.com, msochure(a)redhat.com,
msvehla(a)redhat.com, mszynkie(a)redhat.com,
ngough(a)redhat.com, nstielau(a)redhat.com,
nwallace(a)redhat.com, paradhya(a)redhat.com,
pdrozd(a)redhat.com, pgallagh(a)redhat.com,
pmackay(a)redhat.com, psotirop(a)redhat.com,
puntogil(a)libero.it, pwright(a)redhat.com,
rchan(a)redhat.com, rguimara(a)redhat.com,
rhcs-maint(a)redhat.com, rjerrido(a)redhat.com,
rrajasek(a)redhat.com, rruss(a)redhat.com,
rsvoboda(a)redhat.com, rsynek(a)redhat.com,
sclewis(a)redhat.com, scohen(a)redhat.com,
sdaley(a)redhat.com, slinaber(a)redhat.com,
smaestri(a)redhat.com, sponnaga(a)redhat.com,
stewardship-sig(a)lists.fedoraproject.org,
sthorger(a)redhat.com, swoodman(a)redhat.com,
tbrisker(a)redhat.com, tom.jenkinson(a)redhat.com,
trepel(a)redhat.com, trogers(a)redhat.com,
twalsh(a)redhat.com, vhalbert(a)redhat.com
Target Milestone: ---
Classification: Other
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0
through 2.9.10. When Default Typing is enabled (either globally or for a
specific property) for an externally exposed JSON endpoint and the service has
the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI
service endpoint to access, it is possible to make the service execute a
malicious payload. This issue exists because of
org.apache.commons.dbcp.datasources.SharedPoolDataSource and
org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.
Upstream issue:
https://github.com/FasterXML/jackson-databind/issues/2478
Upstream patch:
https://github.com/FasterXML/jackson-databind/commit/bc67eb11a7cf57561f86...
https://github.com/FasterXML/jackson-databind/commit/328a0f833daf6baa443a...
https://github.com/FasterXML/jackson-databind/commit/54aa38d87dcffa5ccc23...
References:
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-...
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 9 months
[Bug 1758182] New: jackson-databind: Serialization gadgets in classes of the xalan package
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1758182
Bug ID: 1758182
Summary: jackson-databind: Serialization gadgets in classes of
the xalan package
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: psampaio(a)redhat.com
CC: aileenc(a)redhat.com, akoufoud(a)redhat.com,
alazarot(a)redhat.com, almorale(a)redhat.com,
anstephe(a)redhat.com, asoldano(a)redhat.com,
atangrin(a)redhat.com, ataylor(a)redhat.com,
avibelli(a)redhat.com, bbaranow(a)redhat.com,
bbuckingham(a)redhat.com, bcourt(a)redhat.com,
bgeorges(a)redhat.com, bkearney(a)redhat.com,
bmaxwell(a)redhat.com, bmontgom(a)redhat.com,
brian.stansberry(a)redhat.com, btotty(a)redhat.com,
cbyrne(a)redhat.com, cdewolf(a)redhat.com,
chazlett(a)redhat.com, cmacedo(a)redhat.com,
darran.lofthouse(a)redhat.com, dbecker(a)redhat.com,
decathorpe(a)gmail.com, dffrench(a)redhat.com,
dosoudil(a)redhat.com, drieden(a)redhat.com,
drusso(a)redhat.com, eparis(a)redhat.com,
etirelli(a)redhat.com, ganandan(a)redhat.com,
ggaughan(a)redhat.com, hhorak(a)redhat.com,
hhudgeon(a)redhat.com, ibek(a)redhat.com,
iweiss(a)redhat.com, janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jawilson(a)redhat.com, jbalunas(a)redhat.com,
jburrell(a)redhat.com, jjoyce(a)redhat.com,
jmadigan(a)redhat.com, jochrist(a)redhat.com,
jokerman(a)redhat.com, jolee(a)redhat.com,
jorton(a)redhat.com, jpallich(a)redhat.com,
jperkins(a)redhat.com, jschatte(a)redhat.com,
jschluet(a)redhat.com, jshepherd(a)redhat.com,
jstastny(a)redhat.com, kbasil(a)redhat.com,
krathod(a)redhat.com, kverlaen(a)redhat.com,
kwills(a)redhat.com, lef(a)fedoraproject.org,
lgao(a)redhat.com, lhh(a)redhat.com, lpeer(a)redhat.com,
lthon(a)redhat.com, lzap(a)redhat.com,
mat.booth(a)redhat.com, mburns(a)redhat.com,
mkolesni(a)redhat.com, mmccune(a)redhat.com,
mnovotny(a)redhat.com, msochure(a)redhat.com,
msvehla(a)redhat.com, mszynkie(a)redhat.com,
ngough(a)redhat.com, nstielau(a)redhat.com,
nwallace(a)redhat.com, paradhya(a)redhat.com,
pdrozd(a)redhat.com, pgallagh(a)redhat.com,
pmackay(a)redhat.com, psotirop(a)redhat.com,
puntogil(a)libero.it, pwright(a)redhat.com,
rchan(a)redhat.com, rguimara(a)redhat.com,
rhcs-maint(a)redhat.com, rjerrido(a)redhat.com,
rrajasek(a)redhat.com, rruss(a)redhat.com,
rsvoboda(a)redhat.com, rsynek(a)redhat.com,
sclewis(a)redhat.com, scohen(a)redhat.com,
sdaley(a)redhat.com, slinaber(a)redhat.com,
smaestri(a)redhat.com, sponnaga(a)redhat.com,
stewardship-sig(a)lists.fedoraproject.org,
sthorger(a)redhat.com, swoodman(a)redhat.com,
tbrisker(a)redhat.com, tom.jenkinson(a)redhat.com,
trepel(a)redhat.com, trogers(a)redhat.com,
twalsh(a)redhat.com, vhalbert(a)redhat.com
Target Milestone: ---
Classification: Other
A flaw was found in jackson-databind before 2.9.10. New serialization gadgets
were found regarding a class of the xalan package which may help in exploiting
deserialization issues.
Upstream issue:
https://github.com/FasterXML/jackson-databind/issues/2469
Upstream patch:
https://github.com/FasterXML/jackson-databind/commit/998efd708284778f29d8...
References:
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-...
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 9 months
[Bug 1755849] New: CVE-2019-14540 jackson-databind: polymorphic typing issue related to com.zaxxer.hikari.HikariConfig
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1755849
Bug ID: 1755849
Summary: CVE-2019-14540 jackson-databind: polymorphic typing
issue related to com.zaxxer.hikari.HikariConfig
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: darunesh(a)redhat.com
CC: ahardin(a)redhat.com, aileenc(a)redhat.com,
akoufoud(a)redhat.com, alazarot(a)redhat.com,
almorale(a)redhat.com, anstephe(a)redhat.com,
asoldano(a)redhat.com, atangrin(a)redhat.com,
ataylor(a)redhat.com, avibelli(a)redhat.com,
bbaranow(a)redhat.com, bbuckingham(a)redhat.com,
bcourt(a)redhat.com, bgeorges(a)redhat.com,
bkearney(a)redhat.com, bleanhar(a)redhat.com,
bmaxwell(a)redhat.com, brian.stansberry(a)redhat.com,
btotty(a)redhat.com, cbyrne(a)redhat.com,
ccoleman(a)redhat.com, cdewolf(a)redhat.com,
chazlett(a)redhat.com, cmacedo(a)redhat.com,
darran.lofthouse(a)redhat.com, dbecker(a)redhat.com,
decathorpe(a)gmail.com, dedgar(a)redhat.com,
dffrench(a)redhat.com, dosoudil(a)redhat.com,
drieden(a)redhat.com, drusso(a)redhat.com,
eparis(a)redhat.com, etirelli(a)redhat.com,
ganandan(a)redhat.com, ggaughan(a)redhat.com,
hhorak(a)redhat.com, hhudgeon(a)redhat.com,
ibek(a)redhat.com, iweiss(a)redhat.com,
janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jawilson(a)redhat.com, jbalunas(a)redhat.com,
jgoulding(a)redhat.com, jjoyce(a)redhat.com,
jmadigan(a)redhat.com, jochrist(a)redhat.com,
jokerman(a)redhat.com, jolee(a)redhat.com,
jorton(a)redhat.com, jpallich(a)redhat.com,
jperkins(a)redhat.com, jschatte(a)redhat.com,
jschluet(a)redhat.com, jshepherd(a)redhat.com,
jstastny(a)redhat.com, kbasil(a)redhat.com,
krathod(a)redhat.com, kverlaen(a)redhat.com,
kwills(a)redhat.com, lef(a)fedoraproject.org,
lgao(a)redhat.com, lhh(a)redhat.com, lpeer(a)redhat.com,
lthon(a)redhat.com, lzap(a)redhat.com,
mat.booth(a)redhat.com, mburns(a)redhat.com,
mchappel(a)redhat.com, mkolesni(a)redhat.com,
mmccune(a)redhat.com, mnovotny(a)redhat.com,
msochure(a)redhat.com, msvehla(a)redhat.com,
mszynkie(a)redhat.com, ngough(a)redhat.com,
nstielau(a)redhat.com, nwallace(a)redhat.com,
paradhya(a)redhat.com, pdrozd(a)redhat.com,
pgallagh(a)redhat.com, pmackay(a)redhat.com,
psotirop(a)redhat.com, puntogil(a)libero.it,
pwright(a)redhat.com, rchan(a)redhat.com,
rguimara(a)redhat.com, rhcs-maint(a)redhat.com,
rjerrido(a)redhat.com, rrajasek(a)redhat.com,
rruss(a)redhat.com, rsvoboda(a)redhat.com,
rsynek(a)redhat.com, sclewis(a)redhat.com,
scohen(a)redhat.com, sdaley(a)redhat.com,
slinaber(a)redhat.com, smaestri(a)redhat.com,
stewardship-sig(a)lists.fedoraproject.org,
sthorger(a)redhat.com, swoodman(a)redhat.com,
tbrisker(a)redhat.com, tom.jenkinson(a)redhat.com,
trepel(a)redhat.com, trogers(a)redhat.com,
twalsh(a)redhat.com, vhalbert(a)redhat.com
Target Milestone: ---
Classification: Other
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before
2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
Reference:
https://github.com/FasterXML/jackson-databind/blob/master/release-notes/V...
https://github.com/FasterXML/jackson-databind/issues/2410
https://github.com/FasterXML/jackson-databind/issues/2449
https://lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647...
https://lists.apache.org/thread.html/40c00861b53bb611dee7d6f35f864aa7d1c1...
https://lists.apache.org/thread.html/a4f2c9fb36642a48912cdec6836ec00e4974...
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 9 months
[Bug 1713468] New: CVE-2019-12086 jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server.
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1713468
Bug ID: 1713468
Summary: CVE-2019-12086 jackson-databind: polymorphic typing
issue allows attacker to read arbitrary local files on
the server.
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Whiteboard: impact=moderate,public=20190514,reported=20190518,sour
ce=cve,cvss3=7.5/CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/
I:N/A:N,cwe=CWE-502->CWE-200,fuse-6/jackson-databind=n
ew,fuse-7/jackson-databind=new,eap-7/jackson-databind=
new,rhdm-7/jackson-databind=new,rhpam-7/jackson-databi
nd=new,rhscl-3/rh-maven35-jackson-databind=new,openshi
ft-enterprise-3/jackson-databind=new,rhn_satellite_6/j
ackson-databind=new,vertx-3/jackson-databind=new,rhsso
-7/jackson-databind=new,rhmap-4/jackson-databind=new,b
pms-6/jackson-databind=new,swarm-7/jackson-databind=ne
w,amq-6/jackson-databind=new,amq-st/jackson-databind=n
ew,fedora-all/jackson-databind=affected,rhel-8/pki-dep
s:10.6/jackson-databind=new,openstack-10/opendaylight=
new,openstack-13/opendaylight=new,openstack-14/openday
light=new,openstack-8/opendaylight=new,openstack-9/ope
ndaylight=new
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: msiddiqu(a)redhat.com
CC: ahardin(a)redhat.com, aileenc(a)redhat.com,
akoufoud(a)redhat.com, alazarot(a)redhat.com,
almorale(a)redhat.com, anstephe(a)redhat.com,
ataylor(a)redhat.com, avibelli(a)redhat.com,
bbuckingham(a)redhat.com, bcourt(a)redhat.com,
bgeorges(a)redhat.com, bkearney(a)redhat.com,
bleanhar(a)redhat.com, bmaxwell(a)redhat.com,
btotty(a)redhat.com, cbyrne(a)redhat.com,
ccoleman(a)redhat.com, cdewolf(a)redhat.com,
chazlett(a)redhat.com, cmacedo(a)redhat.com,
csutherl(a)redhat.com, darran.lofthouse(a)redhat.com,
dbecker(a)redhat.com, dedgar(a)redhat.com,
dffrench(a)redhat.com, dosoudil(a)redhat.com,
drieden(a)redhat.com, drusso(a)redhat.com,
eparis(a)redhat.com, etirelli(a)redhat.com,
hhorak(a)redhat.com, hhudgeon(a)redhat.com,
ibek(a)redhat.com, janstey(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jawilson(a)redhat.com, jbalunas(a)redhat.com,
jgoulding(a)redhat.com, jjoyce(a)redhat.com,
jkurik(a)redhat.com, jmadigan(a)redhat.com,
jochrist(a)redhat.com, jokerman(a)redhat.com,
jorton(a)redhat.com, jpallich(a)redhat.com,
jschluet(a)redhat.com, jshepherd(a)redhat.com,
kbasil(a)redhat.com, krathod(a)redhat.com,
kverlaen(a)redhat.com, lef(a)fedoraproject.org,
lgao(a)redhat.com, lhh(a)redhat.com, lpeer(a)redhat.com,
lpetrovi(a)redhat.com, lthon(a)redhat.com,
lzap(a)redhat.com, mat.booth(a)redhat.com,
mburns(a)redhat.com, mchappel(a)redhat.com,
mhulan(a)redhat.com, mkolesni(a)redhat.com,
mmccune(a)redhat.com, mnovotny(a)redhat.com,
mszynkie(a)redhat.com, ngough(a)redhat.com,
paradhya(a)redhat.com, pdrozd(a)redhat.com,
pgallagh(a)redhat.com, pgier(a)redhat.com,
ppenicka(a)redhat.com, psakar(a)redhat.com,
pslavice(a)redhat.com, psotirop(a)redhat.com,
puntogil(a)libero.it, pwright(a)redhat.com,
rchan(a)redhat.com, rhcs-maint(a)redhat.com,
rjerrido(a)redhat.com, rnetuka(a)redhat.com,
rrajasek(a)redhat.com, rruss(a)redhat.com,
rsvoboda(a)redhat.com, rsynek(a)redhat.com,
sclewis(a)redhat.com, scohen(a)redhat.com,
sdaley(a)redhat.com, slinaber(a)redhat.com,
sthorger(a)redhat.com, tbrisker(a)redhat.com,
tom.jenkinson(a)redhat.com, trepel(a)redhat.com,
trogers(a)redhat.com, twalsh(a)redhat.com,
vtunka(a)redhat.com
Target Milestone: ---
Classification: Other
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x
before 2.9.9. When Default Typing is enabled (either globally or for a specific
property) for an externally exposed JSON endpoint, the service has the
mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker
can host a crafted MySQL server reachable by the victim, an attacker can send a
crafted JSON message that allows them to read arbitrary local files on the
server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin
validation.
Upstream patch:
https://github.com/FasterXML/jackson-databind/commit/dda513bd7251b4f32b7b...
Upstream issue:
https://github.com/FasterXML/jackson-databind/issues/2326
References:
https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.9
https://issues.jboss.org/browse/RESTEASY-2248
http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/
https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-...
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 9 months
[Bug 1768665] New: tika-app, tika-eval, tika-langdetect and tika-translate cannot be installed
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1768665
Bug ID: 1768665
Summary: tika-app, tika-eval, tika-langdetect and
tika-translate cannot be installed
Product: Fedora
Version: 31
Status: NEW
Component: tika
Assignee: extras-orphan(a)fedoraproject.org
Reporter: phil(a)fifi.org
QA Contact: extras-qa(a)fedoraproject.org
CC: extras-orphan(a)fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
lef(a)fedoraproject.org, puntogil(a)libero.it
Target Milestone: ---
Classification: Fedora
Description of problem:
tika-app, tika-eval, tika-langdetect and tika-translate cannot be installed on
Fedora 31
Version-Release number of selected component (if applicable):
tika-app-1.17-4.fc30.noarch
tika-eval-1.17-4.fc30.noarch
tika-langdetect-1.17-4.fc30.noarch
tika-translate-1.17-4.fc30.noarch
How reproducible:
Always
Steps to Reproduce:
1. dnf install tika-app-1.17-4.fc30.noarch tika-eval-1.17-4.fc30.noarch
tika-langdetect-1.17-4.fc30.noarch tika-translate-1.17-4.fc30.noarch
Actual results:
Error:
Problem 1: conflicting requests
- nothing provides mvn(org.apache.cxf:cxf-rt-frontend-jaxrs) needed by
tika-translate-1.17-4.fc30.noarch
Problem 2: conflicting requests
- nothing provides mvn(org.apache.cxf:cxf-rt-rs-client) needed by
tika-langdetect-1.17-4.fc30.noarch
Problem 3: conflicting requests
- nothing provides mvn(com.h2database:h2) needed by
tika-eval-1.17-4.fc30.noarch
Problem 4: conflicting requests
- package tika-app-1.17-4.fc30.noarch requires
mvn(org.apache.tika:tika-langdetect) = 1.17, but none of the providers can be
installed
- nothing provides mvn(org.apache.cxf:cxf-rt-rs-client) needed by
tika-langdetect-1.17-4.fc30.noarch
Expected results:
Packages should be installed.
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 9 months
[Bug 1778680] New: CVE-2019-10088 tika: a carefully crafted or corrupt zip file can cause an OOM [fedora-all]
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1778680
Bug ID: 1778680
Summary: CVE-2019-10088 tika: a carefully crafted or corrupt
zip file can cause an OOM [fedora-all]
Product: Fedora
Version: 31
Status: NEW
Component: tika
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: extras-orphan(a)fedoraproject.org
Reporter: mrehak(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: extras-orphan(a)fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
lef(a)fedoraproject.org, puntogil(a)libero.it
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 9 months
[Bug 1778688] New: CVE-2019-10094 tika: crafted package/compressed file can cause a StackOverflowError in RecursiveParserWrapper [fedora-all]
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1778688
Bug ID: 1778688
Summary: CVE-2019-10094 tika: crafted package/compressed file
can cause a StackOverflowError in
RecursiveParserWrapper [fedora-all]
Product: Fedora
Version: 31
Status: NEW
Component: tika
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: extras-orphan(a)fedoraproject.org
Reporter: mrehak(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: extras-orphan(a)fedoraproject.org,
java-sig-commits(a)lists.fedoraproject.org,
lef(a)fedoraproject.org, puntogil(a)libero.it
Target Milestone: ---
Classification: Fedora
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
3 years, 9 months