Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 771693 (CVE-2019-20330, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-14060, CVE-2020-14061, CVE-2020-14062, CVE-2020-14195, CVE-2020-24616, CVE-2020-24750, CVE-2020-25649, CVE-2020-28491, CVE-2020-35490, CVE-2020-35491, CVE-2020-35728, CVE-2020-36179, CVE-2020-36180, CVE-2020-36181, CVE-2020-36182, CVE-2020-36183, CVE-2020-36184, CVE-2020-36185, CVE-2020-36186, CVE-2020-36187, CVE-2020-36188, CVE-2020-36189, CVE-2020-8840, CVE-2020-9546, CVE-2020-9547, CVE-2020-9548, CVE-2021-20190) - dev-java/jackson: multiple vulnerabilities
Summary: dev-java/jackson: multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2019-20330, CVE-2020-10672, CVE-2020-10673, CVE-2020-10968, CVE-2020-10969, CVE-2020-11111, CVE-2020-11112, CVE-2020-11113, CVE-2020-11619, CVE-2020-11620, CVE-2020-14060, CVE-2020-14061, CVE-2020-14062, CVE-2020-14195, CVE-2020-24616, CVE-2020-24750, CVE-2020-25649, CVE-2020-28491, CVE-2020-35490, CVE-2020-35491, CVE-2020-35728, CVE-2020-36179, CVE-2020-36180, CVE-2020-36181, CVE-2020-36182, CVE-2020-36183, CVE-2020-36184, CVE-2020-36185, CVE-2020-36186, CVE-2020-36187, CVE-2020-36188, CVE-2020-36189, CVE-2020-8840, CVE-2020-9546, CVE-2020-9547, CVE-2020-9548, CVE-2021-20190
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial
Assignee: Gentoo Security
URL:
Whiteboard: ~? [noglsa]
Keywords: PMASKED, PullRequest
Depends on:
Blocks:
 
Reported: 2021-02-20 01:05 UTC by John Helmert III
Modified: 2022-01-19 02:23 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-02-20 01:05:12 UTC 
Description:CVE-2019-20330 (https://github.com/FasterXML/jackson-databind/issues/2526):

FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.

CVE-2020-10672 (https://github.com/FasterXML/jackson-databind/issues/2659):

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).

CVE-2020-10673 (https://github.com/FasterXML/jackson-databind/issues/2660):

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).

CVE-2020-10968 (https://github.com/FasterXML/jackson-databind/issues/2662):

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).

CVE-2020-10969 (https://github.com/FasterXML/jackson-databind/issues/2642):

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.

CVE-2020-11111 (https://github.com/FasterXML/jackson-databind/issues/2664):

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).

CVE-2020-11112 (https://github.com/FasterXML/jackson-databind/issues/2666):

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).

CVE-2020-11113 (https://github.com/FasterXML/jackson-databind/issues/2670):

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).

CVE-2020-11619 (https://github.com/FasterXML/jackson-databind/issues/2680):

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).

CVE-2020-11620 (https://github.com/FasterXML/jackson-databind/issues/2682):

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).

CVE-2020-14060 (https://github.com/FasterXML/jackson-databind/issues/2688):

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.xalan.lib.sql.JNDIConnectionPool (aka apache/drill).

CVE-2020-14061 (https://github.com/FasterXML/jackson-databind/issues/2698):

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).

CVE-2020-14062 (https://github.com/FasterXML/jackson-databind/issues/2704):

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool (aka xalan2).

CVE-2020-14195 (https://github.com/FasterXML/jackson-databind/issues/2765):

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to org.jsecurity.realm.jndi.JndiRealmFactory (aka org.jsecurity).

CVE-2020-24616 (https://github.com/FasterXML/jackson-databind/issues/2814):

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).

CVE-2020-24750 (https://github.com/FasterXML/jackson-databind/issues/2798):

FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.

CVE-2020-25649 (https://github.com/FasterXML/jackson-databind/issues/2589):

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.

CVE-2020-28491 (https://github.com/FasterXML/jackson-dataformats-binary/issues/186):

This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.

CVE-2020-35490 (https://github.com/FasterXML/jackson-databind/issues/2986):

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.

CVE-2020-35491 (https://github.com/FasterXML/jackson-databind/issues/2986):

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.

CVE-2020-35728 (https://github.com/FasterXML/jackson-databind/issues/2999):

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).

CVE-2020-36179 (https://github.com/FasterXML/jackson-databind/issues/3004):

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to oadd.org.apache.commons.dbcp.cpdsadapter.DriverAdapterCPDS.

CVE-2020-36180 (https://github.com/FasterXML/jackson-databind/issues/3004):

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.

CVE-2020-36181 (https://github.com/FasterXML/jackson-databind/issues/3004):

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.

CVE-2020-36182 (https://github.com/FasterXML/jackson-databind/issues/3004):

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS.

CVE-2020-36183 (https://github.com/FasterXML/jackson-databind/issues/3003):

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.

CVE-2020-36184 (https://github.com/FasterXML/jackson-databind/issues/2998):

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource.

CVE-2020-36185 (https://github.com/FasterXML/jackson-databind/issues/2998):

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.

CVE-2020-36186 (https://github.com/FasterXML/jackson-databind/issues/2997):

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource.

CVE-2020-36187 (https://github.com/FasterXML/jackson-databind/issues/2997):

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource.

CVE-2020-36188 (https://github.com/FasterXML/jackson-databind/issues/2996):

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.

CVE-2020-36189 (https://github.com/FasterXML/jackson-databind/issues/2996):

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.

CVE-2020-8840 (https://github.com/FasterXML/jackson-databind/issues/2620):

FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.

CVE-2020-9546 (https://github.com/FasterXML/jackson-databind/issues/2631):

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).

CVE-2020-9547 (https://github.com/FasterXML/jackson-databind/issues/2634):

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).

CVE-2020-9548 (https://github.com/FasterXML/jackson-databind/issues/2634):

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).

CVE-2021-20190 (https://github.com/FasterXML/jackson-databind/issues/2854):

A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.


I'm not sure if all of these are relevant for us, but this needs a bump
anyway and surely some of them are.

Another good reference for many of these:
https://cowtowncoder.medium.com/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062
Comment 1 NATTkA bot gentoo-dev 2021-07-29 17:23:58 UTC Comment hidden (obsolete)
Comment 2 NATTkA bot gentoo-dev 2021-07-29 17:32:24 UTC Comment hidden (obsolete)
Comment 3 NATTkA bot gentoo-dev 2021-07-29 17:40:17 UTC Comment hidden (obsolete)
Comment 4 NATTkA bot gentoo-dev 2021-07-29 17:48:27 UTC Comment hidden (obsolete)
Comment 5 NATTkA bot gentoo-dev 2021-07-29 18:04:24 UTC Comment hidden (obsolete)
Comment 6 NATTkA bot gentoo-dev 2021-07-29 18:12:42 UTC 
Package list is empty or all packages have requested keywords.
Comment 7 Larry the Git Cow gentoo-dev 2021-11-16 06:22:01 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ba66549bb2f229ebe1b73b9e214a73cc6bd930be

commit ba66549bb2f229ebe1b73b9e214a73cc6bd930be
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2021-11-15 11:15:50 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2021-11-16 06:21:31 +0000

    profiles/package.mask: last-rite dev-java/jackson
    
    Bug: https://bugs.gentoo.org/771693
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/22957
    Signed-off-by: Sam James <sam@gentoo.org>

 profiles/package.mask | 5 +++++
 1 file changed, 5 insertions(+)
Comment 8 Larry the Git Cow gentoo-dev 2021-12-19 08:30:50 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c5419805a82492bdc0f09e2b8dea0406307d03c0

commit c5419805a82492bdc0f09e2b8dea0406307d03c0
Author:     Volkmar W. Pogatzki <gentoo@pogatzki.net>
AuthorDate: 2021-12-19 08:09:25 +0000
Commit:     Miroslav Šulc <fordfrog@gentoo.org>
CommitDate: 2021-12-19 08:30:40 +0000

    profiles/package.mask: last-rite dev-java/jackson
    
    Bug: https://bugs.gentoo.org/771693
    
    Signed-off-by: Volkmar W. Pogatzki <gentoo@pogatzki.net>
    Closes: https://github.com/gentoo/gentoo/pull/23416
    Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org>

 profiles/package.mask | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)
Comment 9 Larry the Git Cow gentoo-dev 2022-01-18 23:35:05 UTC 
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=80f53fd37dd702b1f082a897689753c4601fe43b

commit 80f53fd37dd702b1f082a897689753c4601fe43b
Author:     Jakov Smolić <jsmolic@gentoo.org>
AuthorDate: 2022-01-18 23:22:42 +0000
Commit:     Jakov Smolić <jsmolic@gentoo.org>
CommitDate: 2022-01-18 23:34:44 +0000

    dev-java/jackson: treeclean
    
    Closes: https://bugs.gentoo.org/829771
    Closes: https://bugs.gentoo.org/771693
    Signed-off-by: Jakov Smolić <jsmolic@gentoo.org>

 dev-java/jackson/Manifest              |  1 -
 dev-java/jackson/jackson-2.9.10.ebuild | 59 ----------------------------------
 dev-java/jackson/metadata.xml          | 11 -------
 profiles/package.mask                  |  4 ---
 4 files changed, 75 deletions(-)
Comment 10 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-01-19 02:23:40 UTC 
In this case the package is all unstable so no GLSA. Bug already closed, but please note that security bugs shouldn't be closed on treeclean.