Track fixes for jackson-databind in 10.5

author: Salvatore Bonaccorso <carnil@debian.org> 2020-07-31 17:19:58 +0200
committer: Salvatore Bonaccorso <carnil@debian.org> 2020-07-31 17:19:58 +0200
commit: 42730fd37c0bbf666ffbb3adcd6e7d14d4b6b51a (patch)
tree: a5fb50961371814c5c7cdc5dce36f9e89651f9f5 /data
parent: e6b17982a5cdacf2d64c37cc842348a1aa089f05 (diff)
2 files changed, 20 insertions, 60 deletions
diff --git a/data/CVE/list b/data/CVE/list
index 39b248da4b..d58455ef9f 100644
--- a/data/CVE/list
+++ b/data/CVE/list
@@ -4911,7 +4911,7 @@ CVE-2020-14196 (In PowerDNS Recursor versions up to and including 4.3.1, 4.2.2 a
 CVE-2020-14195 (FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interact ...)
 	{DLA-2270-1}
 	- jackson-databind 2.11.1-1
-	[buster] - jackson-databind <no-dsa> (Minor issue; can be fixed via a point release)
+	[buster] - jackson-databind 2.9.8-3+deb10u2
 	[stretch] - jackson-databind 2.8.6-1+deb9u7
 	NOTE: https://github.com/FasterXML/jackson-databind/issues/2765
 	NOTE: https://github.com/FasterXML/jackson-databind/commit/f6d9c664f6d481703138319f6a0f1fdbddb3a259
@@ -5246,7 +5246,7 @@ CVE-2020-14063 (A stored Cross-Site Scripting (XSS) vulnerability in the TC Cust
 CVE-2020-14062 (FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interact ...)
 	{DLA-2270-1}
 	- jackson-databind 2.11.1-1
-	[buster] - jackson-databind <no-dsa> (Minor issue; can be fixed via a point release)
+	[buster] - jackson-databind 2.9.8-3+deb10u2
 	[stretch] - jackson-databind 2.8.6-1+deb9u7
 	NOTE: https://github.com/FasterXML/jackson-databind/issues/2704
 	NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
@@ -5254,7 +5254,7 @@ CVE-2020-14062 (FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the in
 CVE-2020-14061 (FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interact ...)
 	{DLA-2270-1}
 	- jackson-databind 2.11.1-1
-	[buster] - jackson-databind <no-dsa> (Minor issue; can be fixed via a point release)
+	[buster] - jackson-databind 2.9.8-3+deb10u2
 	[stretch] - jackson-databind 2.8.6-1+deb9u7
 	NOTE: https://github.com/FasterXML/jackson-databind/issues/2698
 	NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
@@ -5262,7 +5262,7 @@ CVE-2020-14061 (FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the in
 CVE-2020-14060 (FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interact ...)
 	{DLA-2270-1}
 	- jackson-databind 2.11.1-1
-	[buster] - jackson-databind <no-dsa> (Minor issue; can be fixed via a point release)
+	[buster] - jackson-databind 2.9.8-3+deb10u2
 	[stretch] - jackson-databind 2.8.6-1+deb9u7
 	NOTE: https://github.com/FasterXML/jackson-databind/issues/2688
 	NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
@@ -12292,7 +12292,7 @@ CVE-2020-11621
 CVE-2020-11620 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...)
 	{DLA-2179-1}
 	- jackson-databind 2.11.1-1
-	[buster] - jackson-databind <no-dsa> (Minor issue; can be fixed via a point release)
+	[buster] - jackson-databind 2.9.8-3+deb10u2
 	[stretch] - jackson-databind 2.8.6-1+deb9u7
 	NOTE: https://github.com/FasterXML/jackson-databind/issues/2682
 	NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
@@ -12300,7 +12300,7 @@ CVE-2020-11620 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the in
 CVE-2020-11619 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...)
 	{DLA-2179-1}
 	- jackson-databind 2.11.1-1
-	[buster] - jackson-databind <no-dsa> (Minor issue; can be fixed via a point release)
+	[buster] - jackson-databind 2.9.8-3+deb10u2
 	[stretch] - jackson-databind 2.8.6-1+deb9u7
 	NOTE: https://github.com/FasterXML/jackson-databind/issues/2680
 	NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
@@ -13677,7 +13677,7 @@ CVE-2020-5291 (Bubblewrap (bwrap) before version 0.4.1, if installed in setuid m
 CVE-2020-11113 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...)
 	{DLA-2179-1}
 	- jackson-databind 2.11.1-1
-	[buster] - jackson-databind <no-dsa> (Minor issue; can be fixed via a point release)
+	[buster] - jackson-databind 2.9.8-3+deb10u2
 	[stretch] - jackson-databind 2.8.6-1+deb9u7
 	NOTE: https://github.com/FasterXML/jackson-databind/issues/2670
 	NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
@@ -13685,7 +13685,7 @@ CVE-2020-11113 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the in
 CVE-2020-11112 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...)
 	{DLA-2179-1}
 	- jackson-databind 2.11.1-1
-	[buster] - jackson-databind <no-dsa> (Minor issue; can be fixed via a point release)
+	[buster] - jackson-databind 2.9.8-3+deb10u2
 	[stretch] - jackson-databind 2.8.6-1+deb9u7
 	NOTE: https://github.com/FasterXML/jackson-databind/issues/2666
 	NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
@@ -13693,7 +13693,7 @@ CVE-2020-11112 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the in
 CVE-2020-11111 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...)
 	{DLA-2179-1}
 	- jackson-databind 2.11.1-1
-	[buster] - jackson-databind <no-dsa> (Minor issue; can be fixed via a point release)
+	[buster] - jackson-databind 2.9.8-3+deb10u2
 	[stretch] - jackson-databind 2.8.6-1+deb9u7
 	NOTE: https://github.com/FasterXML/jackson-databind/issues/2664
 	NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
@@ -14247,7 +14247,7 @@ CVE-2020-10970
 CVE-2020-10969 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...)
 	{DLA-2179-1}
 	- jackson-databind 2.11.1-1
-	[buster] - jackson-databind <no-dsa> (Minor issue; can be fixed via a point release)
+	[buster] - jackson-databind 2.9.8-3+deb10u2
 	[stretch] - jackson-databind 2.8.6-1+deb9u7
 	NOTE: https://github.com/FasterXML/jackson-databind/issues/2642
 	NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
@@ -14255,7 +14255,7 @@ CVE-2020-10969 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the in
 CVE-2020-10968 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...)
 	{DLA-2179-1}
 	- jackson-databind 2.11.1-1
-	[buster] - jackson-databind <no-dsa> (Minor issue; can be fixed via a point release)
+	[buster] - jackson-databind 2.9.8-3+deb10u2
 	[stretch] - jackson-databind 2.8.6-1+deb9u7
 	NOTE: https://github.com/FasterXML/jackson-databind/issues/2662
 	NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
@@ -15408,7 +15408,7 @@ CVE-2020-10675 (The Library API in buger jsonparser through 2019-12-04 allows at
 CVE-2020-10673 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...)
 	{DLA-2153-1}
 	- jackson-databind 2.11.1-1
-	[buster] - jackson-databind <no-dsa> (Minor issue; can be fixed via a point release)
+	[buster] - jackson-databind 2.9.8-3+deb10u2
 	[stretch] - jackson-databind 2.8.6-1+deb9u7
 	NOTE: https://github.com/FasterXML/jackson-databind/issues/2660
 	NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
@@ -15416,7 +15416,7 @@ CVE-2020-10673 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the in
 CVE-2020-10672 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...)
 	{DLA-2153-1}
 	- jackson-databind 2.11.1-1
-	[buster] - jackson-databind <no-dsa> (Minor issue; can be fixed via a point release)
+	[buster] - jackson-databind 2.9.8-3+deb10u2
 	[stretch] - jackson-databind 2.8.6-1+deb9u7
 	NOTE: https://github.com/FasterXML/jackson-databind/issues/2659
 	NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
@@ -18018,7 +18018,7 @@ CVE-2020-9549 (In PDFResurrect 0.12 through 0.19, get_type in pdf.c has an out-o
 CVE-2020-9548 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...)
 	{DLA-2135-1}
 	- jackson-databind 2.11.1-1
-	[buster] - jackson-databind <no-dsa> (Minor issue; can be fixed via a point release)
+	[buster] - jackson-databind 2.9.8-3+deb10u2
 	[stretch] - jackson-databind 2.8.6-1+deb9u7
 	NOTE: https://github.com/FasterXML/jackson-databind/issues/2634
 	NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
@@ -18026,7 +18026,7 @@ CVE-2020-9548 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the int
 CVE-2020-9547 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...)
 	{DLA-2135-1}
 	- jackson-databind 2.11.1-1
-	[buster] - jackson-databind <no-dsa> (Minor issue; can be fixed via a point release)
+	[buster] - jackson-databind 2.9.8-3+deb10u2
 	[stretch] - jackson-databind 2.8.6-1+deb9u7
 	NOTE: https://github.com/FasterXML/jackson-databind/issues/2634
 	NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
@@ -18034,7 +18034,7 @@ CVE-2020-9547 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the int
 CVE-2020-9546 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...)
 	{DLA-2135-1}
 	- jackson-databind 2.11.1-1
-	[buster] - jackson-databind <no-dsa> (Minor issue; can be fixed via a point release)
+	[buster] - jackson-databind 2.9.8-3+deb10u2
 	[stretch] - jackson-databind 2.8.6-1+deb9u7
 	NOTE: https://github.com/FasterXML/jackson-databind/issues/2631
 	NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default
@@ -19742,7 +19742,7 @@ CVE-2020-8841 (An issue was discovered in TestLink 1.9.19. The relation_type par
 CVE-2020-8840 (FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean- ...)
 	{DLA-2111-1}
 	- jackson-databind 2.11.1-1
-	[buster] - jackson-databind <no-dsa> (Minor issue; can be fixed via a point release)
+	[buster] - jackson-databind 2.9.8-3+deb10u2
 	[stretch] - jackson-databind 2.8.6-1+deb9u7
 	NOTE: https://github.com/FasterXML/jackson-databind/issues/2620
 	NOTE: https://github.com/FasterXML/jackson-databind/commit/914e7c9f2cb8ce66724bf26a72adc7e958992497
@@ -28692,7 +28692,7 @@ CVE-2020-5201
 CVE-2019-20330 (FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.eh ...)
 	{DLA-2111-1}
 	- jackson-databind 2.10.1-1
-	[buster] - jackson-databind <no-dsa> (Minor issue; can be fixed via a point release)
+	[buster] - jackson-databind 2.9.8-3+deb10u2
 	[stretch] - jackson-databind 2.8.6-1+deb9u7
 	NOTE: https://github.com/FasterXML/jackson-databind/issues/2526
 	NOTE: https://github.com/FasterXML/jackson-databind/commit/fc4214a883dc087070f25da738ef0d49c2f3387e
@@ -47103,7 +47103,7 @@ CVE-2019-17532 (An issue was discovered on Belkin Wemo Switch 28B WW_2.00.11057.
 CVE-2019-17531 (A Polymorphic Typing issue was discovered in FasterXML jackson-databin ...)
 	{DLA-2030-1}
 	- jackson-databind 2.10.1-1
-	[buster] - jackson-databind <no-dsa> (Minor issue; can be fixed via a point release)
+	[buster] - jackson-databind 2.9.8-3+deb10u2
 	[stretch] - jackson-databind 2.8.6-1+deb9u7
 	NOTE: https://github.com/FasterXML/jackson-databind/issues/2498
 	NOTE: https://github.com/FasterXML/jackson-databind/commit/b5a304a98590b6bb766134f9261e6566dcbbb6d0
@@ -47787,7 +47787,7 @@ CVE-2019-17268 (The omniauth-weibo-oauth2 gem 0.4.6 for Ruby, as distributed on
 CVE-2019-17267 (A Polymorphic Typing issue was discovered in FasterXML jackson-databin ...)
 	{DLA-2030-1}
 	- jackson-databind 2.10.0-1
-	[buster] - jackson-databind <no-dsa> (Minor issue; can be fixed via a point release)
+	[buster] - jackson-databind 2.9.8-3+deb10u2
 	[stretch] - jackson-databind 2.8.6-1+deb9u7
 	NOTE: https://github.com/FasterXML/jackson-databind/issues/2460
 	NOTE: https://github.com/FasterXML/jackson-databind/commit/191a4cdf87b56d2ddddb77edd895ee756b7f75eb
diff --git a/data/next-point-update.txt b/data/next-point-update.txt
index d1e296b698..7ea52a798e 100644
--- a/data/next-point-update.txt
+++ b/data/next-point-update.txt
@@ -1,43 +1,3 @@
-CVE-2020-9548
-	[buster] - jackson-databind 2.9.8-3+deb10u2
-CVE-2020-9547
-	[buster] - jackson-databind 2.9.8-3+deb10u2
-CVE-2020-9546
-	[buster] - jackson-databind 2.9.8-3+deb10u2
-CVE-2020-8840
-	[buster] - jackson-databind 2.9.8-3+deb10u2
-CVE-2020-14195
-	[buster] - jackson-databind 2.9.8-3+deb10u2
-CVE-2020-14062
-	[buster] - jackson-databind 2.9.8-3+deb10u2
-CVE-2020-14061
-	[buster] - jackson-databind 2.9.8-3+deb10u2
-CVE-2020-14060
-	[buster] - jackson-databind 2.9.8-3+deb10u2
-CVE-2020-11620
-	[buster] - jackson-databind 2.9.8-3+deb10u2
-CVE-2020-11619
-	[buster] - jackson-databind 2.9.8-3+deb10u2
-CVE-2020-11113
-	[buster] - jackson-databind 2.9.8-3+deb10u2
-CVE-2020-11112
-	[buster] - jackson-databind 2.9.8-3+deb10u2
-CVE-2020-11111
-	[buster] - jackson-databind 2.9.8-3+deb10u2
-CVE-2020-10969
-	[buster] - jackson-databind 2.9.8-3+deb10u2
-CVE-2020-10968
-	[buster] - jackson-databind 2.9.8-3+deb10u2
-CVE-2020-10673
-	[buster] - jackson-databind 2.9.8-3+deb10u2
-CVE-2020-10672
-	[buster] - jackson-databind 2.9.8-3+deb10u2
-CVE-2019-20330
-	[buster] - jackson-databind 2.9.8-3+deb10u2
-CVE-2019-17531
-	[buster] - jackson-databind 2.9.8-3+deb10u2
-CVE-2019-17267
-	[buster] - jackson-databind 2.9.8-3+deb10u2
 CVE-2019-17566
 	[buster] - batik 1.10-2+deb10u1
 CVE-2015-9542
author	Salvatore Bonaccorso <carnil@debian.org>	2020-07-31 17:19:58 +0200
committer	Salvatore Bonaccorso <carnil@debian.org>	2020-07-31 17:19:58 +0200
commit	42730fd37c0bbf666ffbb3adcd6e7d14d4b6b51a (patch)
tree	a5fb50961371814c5c7cdc5dce36f9e89651f9f5 /data
parent	e6b17982a5cdacf2d64c37cc842348a1aa089f05 (diff)