CVE-2019-12086 (https://nvd.nist.gov/vuln/detail/CVE-2019-12086): A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation. CVE-2019-12384 (https://nvd.nist.gov/vuln/detail/CVE-2019-12384): FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible. CVE-2019-12814 (https://nvd.nist.gov/vuln/detail/CVE-2019-12814): A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server. CVE-2019-14379 (https://nvd.nist.gov/vuln/detail/CVE-2019-14379): SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used, leading to remote code execution. CVE-2019-14439 (https://nvd.nist.gov/vuln/detail/CVE-2019-14439): A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.
Package has no stable ebuild. Package dev-java/jackson-annotations must be bumped at the same time.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0ffaab87d35f7074a8fe82925f6f730a6aabfbb8 commit 0ffaab87d35f7074a8fe82925f6f730a6aabfbb8 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2019-09-25 17:25:43 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2019-09-25 17:26:14 +0000 dev-java/jackson-2.8.5: removed obsolete (also cve) Bug: https://bugs.gentoo.org/695532 Package-Manager: Portage-2.3.76, Repoman-2.3.17 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/jackson/Manifest | 1 - dev-java/jackson/jackson-2.8.5.ebuild | 58 ----------------------------------- 2 files changed, 59 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0ffc08a8f196ff9600fba4c127804269534a2f55 commit 0ffc08a8f196ff9600fba4c127804269534a2f55 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2019-09-25 17:23:24 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2019-09-25 17:26:14 +0000 dev-java/jackson-annotations-2.9.10: bump Bug: https://bugs.gentoo.org/695532 Package-Manager: Portage-2.3.76, Repoman-2.3.17 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/jackson-annotations/Manifest | 1 + .../jackson-annotations-2.9.10.ebuild | 46 ++++++++++++++++++++++ 2 files changed, 47 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=571aeaecbaf3738fa9204aeb4a34de167da23021 commit 571aeaecbaf3738fa9204aeb4a34de167da23021 Author: Miroslav Šulc <fordfrog@gentoo.org> AuthorDate: 2019-09-25 17:22:46 +0000 Commit: Miroslav Šulc <fordfrog@gentoo.org> CommitDate: 2019-09-25 17:26:14 +0000 dev-java/jackson-2.9.10: bump Bug: https://bugs.gentoo.org/695532 Package-Manager: Portage-2.3.76, Repoman-2.3.17 Signed-off-by: Miroslav Šulc <fordfrog@gentoo.org> dev-java/jackson/Manifest | 1 + dev-java/jackson/jackson-2.9.10.ebuild | 58 ++++++++++++++++++++++++++++++++++ 2 files changed, 59 insertions(+)
Repository is clean, all done!