jackson-databind || Debian Security Advisory || identified as unsafe for de-serialization.

asurajpai
Participant V

Hi,

Bringing to your kind notice on a Debian Security Advisory notification:

Package : jackson-databind

As per the notification Details:
-------------------------------------------------------------------------
Debian Security Advisory DSA-4037-1 security@debian.org
https://www.debian.org/security/ Sebastien Delafond
November 16, 2017 https://www.debian.org/security/faq
-------------------------------------------------------------------------

Package : jackson-databind
CVE ID : CVE-2017-15095

It was discovered that jackson-databind, a Java library used to parse JSON and other data formats, improperly validated user input prior to deserializing: following DSA-4004-1 for CVE-2017-7525, an additional set of classes was identified as unsafe for deserialization.
For the old stable distribution (jessie), this problem has been fixed in version 2.4.2-2+deb8u2.
For the stable distribution (stretch), this problem has been fixed in version 2.8.6-1+deb9u2.

We recommend that you upgrade your jackson-databind packages.

BR, Suraj

0 3 340
3 REPLIES 3

asurajpai
Participant V

jackson-databind-2.7.3.jar would also have the security vulnerability. Can you please check and confirm the impact?

yes, thanks. Will check.

@Dino

Also can you please let know the Jackson-databind group Id?

Is it com.fasterxml.jackson.core, org.jenkins-ci.plugins, Debian or is it something else?