-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4542-1 security@debian.org https://www.debian.org/security/ Sebastien Delafond October 06, 2019 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : jackson-databind CVE ID : CVE-2019-12384 CVE-2019-14439 CVE-2019-14540 CVE-2019-16335 CVE-2019-16942 CVE-2019-16943 Debian Bug : 941530 940498 933393 930750 It was discovered that jackson-databind, a Java library used to parse JSON and other data formats, did not properly validate user input before attempting deserialization. This allowed an attacker providing maliciously crafted input to perform code execution, or read arbitrary files on the server. For the oldstable distribution (stretch), these problems have been fixed in version 2.8.6-1+deb9u6. For the stable distribution (buster), these problems have been fixed in version 2.9.8-3+deb10u1. We recommend that you upgrade your jackson-databind packages. For the detailed security status of jackson-databind please refer to its security tracker page at: https://security-tracker.debian.org/tracker/jackson-databind Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAl2ZpPgACgkQEL6Jg/PV nWTg1QgArRk3fUf/k14rPha6GlJnWtRu2tZli07NzxtebAI2Ra8vKHkv1F3xSBjx tnauaRmJXonoU7t1TU51O/F7xkxX10NXym3YyrJ4+5ac6OtGmstSkMW1CmEiS8Z7 RaQQqY8GTJe5VTjiPon+lvdxyoFIDbp3nUGj8sshrULtKQX3Bjc9dotXyu0M3/7o QjsFAOLpytx/nMS1O93rqHuO381plbaAi5EYgAPv737tV8lVH3li56FYTKRMVjEg BkBpkaDGWhqoYvTu4WviyCyon0V5PgtHuD8SkN/39QqiYoDCzfa0xPjZ3a44G0kR C6qF8E4WIw465wLrRLCuuybG6/ZrzA== =Gifd -----END PGP SIGNATURE-----