Bug 675156 (CVE-2018-19360, CVE-2018-19361, CVE-2018-19362)

Summary:	dev-java/jackson-databind: multiple vulnerabilities
Product:	Gentoo Security	Reporter:	Melissa Mcdonald <melrosemc216599>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	trivial	CC:	java
Priority:	Low
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://github.com/FasterXML/jackson-databind/issues/2186
Whiteboard:	~2 [ebuild]
Package list:		Runtime testing required:	---
Bug Depends on:	675682
Bug Blocks:

Description Melissa Mcdonald 2019-01-11 05:00:04 UTC

https://nvd.nist.gov/vuln/detail/CVE-2018-19360:

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.

https://nvd.nist.gov/vuln/detail/CVE-2018-19361:

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.

https://nvd.nist.gov/vuln/detail/CVE-2018-19362:

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.

Upstream Patch: https://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2b


-tubbytootone

Comment 1 Patrice Clement gentoo-dev

2019-05-12 08:45:20 UTC

Package removed from the Portage tree.

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6599dc1625a0840c6280b60cc6cacf388fc8d049