From 8a48bd3eada094e566d01bb77df5ca523d245c9b Mon Sep 17 00:00:00 2001 From: Moritz Muehlenhoff Date: Mon, 18 Jan 2021 17:20:59 +0100 Subject: more jackson-databind fixes --- data/CVE/list | 36 ++++++++++++++++++++++++------------ 1 file changed, 24 insertions(+), 12 deletions(-) diff --git a/data/CVE/list b/data/CVE/list index 92c3155d9f..61ab7a6d61 100644 --- a/data/CVE/list +++ b/data/CVE/list @@ -5382,54 +5382,61 @@ CVE-2020-36186 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the in NOTE: but still an issue when Default Typing is enabled. NOTE: https://github.com/FasterXML/jackson-databind/commit/3e8fa3beea49ea62109df9e643c9cb678dabdde1 CVE-2020-36185 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...) - - jackson-databind + - jackson-databind 2.12.1-1 [buster] - jackson-databind (Minor issue) [stretch] - jackson-databind (Minor issue) NOTE: https://github.com/FasterXML/jackson-databind/issues/2998 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. + NOTE: https://github.com/FasterXML/jackson-databind/commit/567194c53ae91f0a14dc27239afb739b1c10448a CVE-2020-36184 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...) - - jackson-databind + - jackson-databind 2.12.1-1 [buster] - jackson-databind (Minor issue) [stretch] - jackson-databind (Minor issue) NOTE: https://github.com/FasterXML/jackson-databind/issues/2998 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. + NOTE: https://github.com/FasterXML/jackson-databind/commit/567194c53ae91f0a14dc27239afb739b1c10448a CVE-2020-36183 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...) - - jackson-databind + - jackson-databind 2.12.1-1 [buster] - jackson-databind (Minor issue) [stretch] - jackson-databind (Minor issue) NOTE: https://github.com/FasterXML/jackson-databind/issues/3003 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. + NOTE: https://github.com/FasterXML/jackson-databind/commit/1cddeaf9524e903d08a91fdd9f3dde46d2a68536 CVE-2020-36182 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...) - - jackson-databind + - jackson-databind 2.12.1-1 [buster] - jackson-databind (Minor issue) [stretch] - jackson-databind (Minor issue) NOTE: https://github.com/FasterXML/jackson-databind/issues/3004 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. + NOTE: https://github.com/FasterXML/jackson-databind/commit/3ded28aece694d0df39c9f0fa1ff385b14a8656b CVE-2020-36181 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...) - - jackson-databind + - jackson-databind 2.12.1-1 [buster] - jackson-databind (Minor issue) [stretch] - jackson-databind (Minor issue) NOTE: https://github.com/FasterXML/jackson-databind/issues/3004 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. + NOTE: https://github.com/FasterXML/jackson-databind/commit/3ded28aece694d0df39c9f0fa1ff385b14a8656b CVE-2020-36180 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...) - - jackson-databind + - jackson-databind 2.12.1-1 [buster] - jackson-databind (Minor issue) [stretch] - jackson-databind (Minor issue) NOTE: https://github.com/FasterXML/jackson-databind/issues/3004 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. + NOTE: https://github.com/FasterXML/jackson-databind/commit/3ded28aece694d0df39c9f0fa1ff385b14a8656b CVE-2020-36179 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...) - - jackson-databind + - jackson-databind 2.12.1-1 [buster] - jackson-databind (Minor issue) [stretch] - jackson-databind (Minor issue) NOTE: https://github.com/FasterXML/jackson-databind/issues/3004 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. + NOTE: https://github.com/FasterXML/jackson-databind/commit/3ded28aece694d0df39c9f0fa1ff385b14a8656b CVE-2020-36178 (oal_ipt_addBridgeIsolationRules on TP-Link TL-WR840N 6_EU_0.9.1_4.16 d ...) NOT-FOR-US: TP-Link CVE-2021-3029 (** UNSUPPORTED WHEN ASSIGNED ** EVOLUCARE ECSIMAGING (aka ECS Imaging) ...) @@ -9008,12 +9015,13 @@ CVE-2020-35730 (An XSS issue was discovered in Roundcube Webmail before 1.2.13, CVE-2020-35729 (KLog Server 2.4.1 allows OS command injection via shell metacharacters ...) NOT-FOR-US: KLog Server CVE-2020-35728 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...) - - jackson-databind + - jackson-databind 2.12.1-1 [buster] - jackson-databind (Minor issue) [stretch] - jackson-databind (Minor issue) NOTE: https://github.com/FasterXML/jackson-databind/issues/2999 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. + NOTE: https://github.com/FasterXML/jackson-databind/commit/1ca0388c2fb37ac6a06f1c188ae89c41e3e15e84 CVE-2020-35727 (** UNSUPPORTED WHEN ASSIGNED ** Reflected XSS in Quest Policy Authorit ...) NOT-FOR-US: Quest Policy Authority CVE-2020-35726 (** UNSUPPORTED WHEN ASSIGNED ** Reflected XSS in Quest Policy Authorit ...) @@ -12374,19 +12382,21 @@ CVE-2020-35492 [cairo: libreoffice slideshow aborts with stack smashing in cairo NOTE: Additional meson support (test): https://gitlab.freedesktop.org/cairo/cairo/-/commit/0677e0a94968447e132c69f58cb04e5377e0c828 NOTE: https://bugzilla.redhat.com/show_bug.cgi?id=1898396 CVE-2020-35491 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...) - - jackson-databind + - jackson-databind 2.12.1-1 [buster] - jackson-databind (Minor issue) [stretch] - jackson-databind (Minor issue) NOTE: https://github.com/FasterXML/jackson-databind/issues/2986 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. + NOTE: https://github.com/FasterXML/jackson-databind/commit/41b8bdb5ccc1d8edb71acf1c8234da235a24249d CVE-2020-35490 (FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interact ...) - - jackson-databind + - jackson-databind 2.12.1-1 [buster] - jackson-databind (Minor issue) [stretch] - jackson-databind (Minor issue) NOTE: https://github.com/FasterXML/jackson-databind/issues/2986 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. + NOTE: https://github.com/FasterXML/jackson-databind/commit/41b8bdb5ccc1d8edb71acf1c8234da235a24249d CVE-2020-35489 (The contact-form-7 (aka Contact Form 7) plugin before 5.3.2 for WordPr ...) NOT-FOR-US: contact-form-7 (aka Contact Form 7) plugin for WordPress CVE-2021-20065 @@ -29866,12 +29876,13 @@ CVE-2020-24752 CVE-2020-24751 RESERVED CVE-2020-24750 (FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interact ...) - - jackson-databind + - jackson-databind 2.12.1-1 [buster] - jackson-databind (Minor issue) [stretch] - jackson-databind (Minor issue) NOTE: https://github.com/FasterXML/jackson-databind/issues/2798 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. + NOTE: https://github.com/FasterXML/jackson-databind/commit/6cc9f1a1af323cd156f5668a47e43bab324ae16f CVE-2020-24749 RESERVED CVE-2020-24748 @@ -30160,12 +30171,13 @@ CVE-2020-24618 (In JetBrains YouTrack versions before 2020.3.4313, 2020.2.11008, CVE-2020-24617 RESERVED CVE-2020-24616 (FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interact ...) - - jackson-databind + - jackson-databind 2.12.1-1 [buster] - jackson-databind (Minor issue) [stretch] - jackson-databind (Minor issue) NOTE: https://github.com/FasterXML/jackson-databind/issues/2814 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default NOTE: but still an issue when Default Typing is enabled. + NOTE: https://github.com/FasterXML/jackson-databind/commit/3d97153944f7de9c19c1b3637b33d3cf1fbbe4d7 CVE-2020-24615 (Pexip Infinity before 24.1 has Improper Input Validation, leading to t ...) NOT-FOR-US: Pexip Infinity CVE-2020-24613 (wolfSSL before 4.5.0 mishandles TLS 1.3 server data in the WAIT_CERT_C ...) -- cgit v1.2.3