logo
DATABASE RESOURCES PRICING ABOUT US

[SECURITY] [DLA 1831-1] jackson-databind security update

Description

Package : jackson-databind Version : 2.4.2-2+deb8u7 CVE ID : CVE-2019-12384 CVE-2019-12814 Debian Bug : 930750 More Polymorphic Typing issues were discovered in jackson-databind. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x or logback-core jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server. For Debian 8 "Jessie", these problems have been fixed in version 2.4.2-2+deb8u7. We recommend that you upgrade your jackson-databind packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS


Affected Package


OS OS Version Package Name Package Version
Debian 9 jackson-databind 2.8.6-1+deb9u6
Debian 8 jackson-databind 2.4.2-2+deb8u7
Debian 9 libjackson2-databind-java-doc 2.8.6-1+deb9u6
Debian 8 libjackson2-databind-java-doc 2.4.2-2+deb8u7
Debian 8 libjackson2-databind-java 2.4.2-2+deb8u7
Debian 9 libjackson2-databind-java 2.8.6-1+deb9u6

Related