Bug 675650 (CVE-2018-12022, CVE-2018-12023)

Summary:	dev-java/jackson-databind: multiple vulnerabilities
Product:	Gentoo Security	Reporter:	D'juan McDonald (domhnall) <flopwiki>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	trivial	CC:	java
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.6
Whiteboard:	~2 [ebuild]
Package list:		Runtime testing required:	---
Bug Depends on:	675682
Bug Blocks:

Description D'juan McDonald (domhnall) 2019-01-16 22:16:47 UTC

There are two potential remote code execution (RCE) vulnerabilities in jackson-databind before 2.9.6. Note, this version (2.9.6) ships bundled with pycharm-community-2018.3.3

(https://github.com/FasterXML/jackson-databind/issues/2052):
CVE-2018-12022: Block polymorphic deserialization of types from Jodd-db library

(https://github.com/FasterXML/jackson-databind/issues/2058):
CVE-2018-12023: Block polymorphic deserialization of types from Oracle JDBC driver


Gentoo Security Padawan
(domhnall)

Comment 1 Patrice Clement gentoo-dev

2019-05-12 08:44:48 UTC

Package removed from the Portage tree.

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6599dc1625a0840c6280b60cc6cacf388fc8d049