From 42730fd37c0bbf666ffbb3adcd6e7d14d4b6b51a Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Fri, 31 Jul 2020 17:19:58 +0200 Subject: Track fixes for jackson-databind in 10.5 --- data/CVE/list | 40 ++++++++++++++++++++-------------------- data/next-point-update.txt | 40 ---------------------------------------- 2 files changed, 20 insertions(+), 60 deletions(-) (limited to 'data') diff --git a/data/CVE/list b/data/CVE/list index 39b248da4b..d58455ef9f 100644 --- a/data/CVE/list +++ b/data/CVE/list @@ -4911,7 +4911,7 @@ CVE-2020-14196 (In PowerDNS Recursor versions up to and including 4.3.1, 4.2.2 a CVE-2020-14195 (FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interact ...) {DLA-2270-1} - jackson-databind 2.11.1-1 - [buster] - jackson-databind (Minor issue; can be fixed via a point release) + [buster] - jackson-databind 2.9.8-3+deb10u2 [stretch] - jackson-databind 2.8.6-1+deb9u7 NOTE: https://github.com/FasterXML/jackson-databind/issues/2765 NOTE: https://github.com/FasterXML/jackson-databind/commit/f6d9c664f6d481703138319f6a0f1fdbddb3a259 @@ -5246,7 +5246,7 @@ CVE-2020-14063 (A stored Cross-Site Scripting (XSS) vulnerability in the TC Cust CVE-2020-14062 (FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interact ...) {DLA-2270-1} - jackson-databind 2.11.1-1 - [buster] - jackson-databind (Minor issue; can be fixed via a point release) + [buster] - jackson-databind 2.9.8-3+deb10u2 [stretch] - jackson-databind 2.8.6-1+deb9u7 NOTE: https://github.com/FasterXML/jackson-databind/issues/2704 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default @@ -5254,7 +5254,7 @@ CVE-2020-14062 (FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the in CVE-2020-14061 (FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interact ...) {DLA-2270-1} - jackson-databind 2.11.1-1 - [buster] - jackson-databind (Minor issue; can be fixed via a point release) + [buster] - jackson-databind 2.9.8-3+deb10u2 [stretch] - jackson-databind 2.8.6-1+deb9u7 NOTE: https://github.com/FasterXML/jackson-databind/issues/2698 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default @@ -5262,7 +5262,7 @@ CVE-2020-14061 (FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the in CVE-2020-14060 (FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interact ...) {DLA-2270-1} - jackson-databind 2.11.1-1 - [buster] - jackson-databind (Minor issue; can be fixed via a point release) + [buster] - jackson-databind 2.9.8-3+deb10u2 [stretch] - jackson-databind 2.8.6-1+deb9u7 NOTE: https://github.com/FasterXML/jackson-databind/issues/2688 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default @@ -12292,7 +12292,7 @@ CVE-2020-11621 CVE-2020-11620 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) {DLA-2179-1} - jackson-databind 2.11.1-1 - [buster] - jackson-databind (Minor issue; can be fixed via a point release) + [buster] - jackson-databind 2.9.8-3+deb10u2 [stretch] - jackson-databind 2.8.6-1+deb9u7 NOTE: https://github.com/FasterXML/jackson-databind/issues/2682 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default @@ -12300,7 +12300,7 @@ CVE-2020-11620 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the in CVE-2020-11619 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) {DLA-2179-1} - jackson-databind 2.11.1-1 - [buster] - jackson-databind (Minor issue; can be fixed via a point release) + [buster] - jackson-databind 2.9.8-3+deb10u2 [stretch] - jackson-databind 2.8.6-1+deb9u7 NOTE: https://github.com/FasterXML/jackson-databind/issues/2680 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default @@ -13677,7 +13677,7 @@ CVE-2020-5291 (Bubblewrap (bwrap) before version 0.4.1, if installed in setuid m CVE-2020-11113 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) {DLA-2179-1} - jackson-databind 2.11.1-1 - [buster] - jackson-databind (Minor issue; can be fixed via a point release) + [buster] - jackson-databind 2.9.8-3+deb10u2 [stretch] - jackson-databind 2.8.6-1+deb9u7 NOTE: https://github.com/FasterXML/jackson-databind/issues/2670 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default @@ -13685,7 +13685,7 @@ CVE-2020-11113 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the in CVE-2020-11112 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) {DLA-2179-1} - jackson-databind 2.11.1-1 - [buster] - jackson-databind (Minor issue; can be fixed via a point release) + [buster] - jackson-databind 2.9.8-3+deb10u2 [stretch] - jackson-databind 2.8.6-1+deb9u7 NOTE: https://github.com/FasterXML/jackson-databind/issues/2666 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default @@ -13693,7 +13693,7 @@ CVE-2020-11112 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the in CVE-2020-11111 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) {DLA-2179-1} - jackson-databind 2.11.1-1 - [buster] - jackson-databind (Minor issue; can be fixed via a point release) + [buster] - jackson-databind 2.9.8-3+deb10u2 [stretch] - jackson-databind 2.8.6-1+deb9u7 NOTE: https://github.com/FasterXML/jackson-databind/issues/2664 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default @@ -14247,7 +14247,7 @@ CVE-2020-10970 CVE-2020-10969 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) {DLA-2179-1} - jackson-databind 2.11.1-1 - [buster] - jackson-databind (Minor issue; can be fixed via a point release) + [buster] - jackson-databind 2.9.8-3+deb10u2 [stretch] - jackson-databind 2.8.6-1+deb9u7 NOTE: https://github.com/FasterXML/jackson-databind/issues/2642 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default @@ -14255,7 +14255,7 @@ CVE-2020-10969 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the in CVE-2020-10968 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) {DLA-2179-1} - jackson-databind 2.11.1-1 - [buster] - jackson-databind (Minor issue; can be fixed via a point release) + [buster] - jackson-databind 2.9.8-3+deb10u2 [stretch] - jackson-databind 2.8.6-1+deb9u7 NOTE: https://github.com/FasterXML/jackson-databind/issues/2662 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default @@ -15408,7 +15408,7 @@ CVE-2020-10675 (The Library API in buger jsonparser through 2019-12-04 allows at CVE-2020-10673 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) {DLA-2153-1} - jackson-databind 2.11.1-1 - [buster] - jackson-databind (Minor issue; can be fixed via a point release) + [buster] - jackson-databind 2.9.8-3+deb10u2 [stretch] - jackson-databind 2.8.6-1+deb9u7 NOTE: https://github.com/FasterXML/jackson-databind/issues/2660 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default @@ -15416,7 +15416,7 @@ CVE-2020-10673 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the in CVE-2020-10672 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) {DLA-2153-1} - jackson-databind 2.11.1-1 - [buster] - jackson-databind (Minor issue; can be fixed via a point release) + [buster] - jackson-databind 2.9.8-3+deb10u2 [stretch] - jackson-databind 2.8.6-1+deb9u7 NOTE: https://github.com/FasterXML/jackson-databind/issues/2659 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default @@ -18018,7 +18018,7 @@ CVE-2020-9549 (In PDFResurrect 0.12 through 0.19, get_type in pdf.c has an out-o CVE-2020-9548 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) {DLA-2135-1} - jackson-databind 2.11.1-1 - [buster] - jackson-databind (Minor issue; can be fixed via a point release) + [buster] - jackson-databind 2.9.8-3+deb10u2 [stretch] - jackson-databind 2.8.6-1+deb9u7 NOTE: https://github.com/FasterXML/jackson-databind/issues/2634 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default @@ -18026,7 +18026,7 @@ CVE-2020-9548 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the int CVE-2020-9547 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) {DLA-2135-1} - jackson-databind 2.11.1-1 - [buster] - jackson-databind (Minor issue; can be fixed via a point release) + [buster] - jackson-databind 2.9.8-3+deb10u2 [stretch] - jackson-databind 2.8.6-1+deb9u7 NOTE: https://github.com/FasterXML/jackson-databind/issues/2634 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default @@ -18034,7 +18034,7 @@ CVE-2020-9547 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the int CVE-2020-9546 (FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interact ...) {DLA-2135-1} - jackson-databind 2.11.1-1 - [buster] - jackson-databind (Minor issue; can be fixed via a point release) + [buster] - jackson-databind 2.9.8-3+deb10u2 [stretch] - jackson-databind 2.8.6-1+deb9u7 NOTE: https://github.com/FasterXML/jackson-databind/issues/2631 NOTE: Starting from 2.10 series mitigated as Safe Default Typing is enabled by default @@ -19742,7 +19742,7 @@ CVE-2020-8841 (An issue was discovered in TestLink 1.9.19. The relation_type par CVE-2020-8840 (FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean- ...) {DLA-2111-1} - jackson-databind 2.11.1-1 - [buster] - jackson-databind (Minor issue; can be fixed via a point release) + [buster] - jackson-databind 2.9.8-3+deb10u2 [stretch] - jackson-databind 2.8.6-1+deb9u7 NOTE: https://github.com/FasterXML/jackson-databind/issues/2620 NOTE: https://github.com/FasterXML/jackson-databind/commit/914e7c9f2cb8ce66724bf26a72adc7e958992497 @@ -28692,7 +28692,7 @@ CVE-2020-5201 CVE-2019-20330 (FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.eh ...) {DLA-2111-1} - jackson-databind 2.10.1-1 - [buster] - jackson-databind (Minor issue; can be fixed via a point release) + [buster] - jackson-databind 2.9.8-3+deb10u2 [stretch] - jackson-databind 2.8.6-1+deb9u7 NOTE: https://github.com/FasterXML/jackson-databind/issues/2526 NOTE: https://github.com/FasterXML/jackson-databind/commit/fc4214a883dc087070f25da738ef0d49c2f3387e @@ -47103,7 +47103,7 @@ CVE-2019-17532 (An issue was discovered on Belkin Wemo Switch 28B WW_2.00.11057. CVE-2019-17531 (A Polymorphic Typing issue was discovered in FasterXML jackson-databin ...) {DLA-2030-1} - jackson-databind 2.10.1-1 - [buster] - jackson-databind (Minor issue; can be fixed via a point release) + [buster] - jackson-databind 2.9.8-3+deb10u2 [stretch] - jackson-databind 2.8.6-1+deb9u7 NOTE: https://github.com/FasterXML/jackson-databind/issues/2498 NOTE: https://github.com/FasterXML/jackson-databind/commit/b5a304a98590b6bb766134f9261e6566dcbbb6d0 @@ -47787,7 +47787,7 @@ CVE-2019-17268 (The omniauth-weibo-oauth2 gem 0.4.6 for Ruby, as distributed on CVE-2019-17267 (A Polymorphic Typing issue was discovered in FasterXML jackson-databin ...) {DLA-2030-1} - jackson-databind 2.10.0-1 - [buster] - jackson-databind (Minor issue; can be fixed via a point release) + [buster] - jackson-databind 2.9.8-3+deb10u2 [stretch] - jackson-databind 2.8.6-1+deb9u7 NOTE: https://github.com/FasterXML/jackson-databind/issues/2460 NOTE: https://github.com/FasterXML/jackson-databind/commit/191a4cdf87b56d2ddddb77edd895ee756b7f75eb diff --git a/data/next-point-update.txt b/data/next-point-update.txt index d1e296b698..7ea52a798e 100644 --- a/data/next-point-update.txt +++ b/data/next-point-update.txt @@ -1,43 +1,3 @@ -CVE-2020-9548 - [buster] - jackson-databind 2.9.8-3+deb10u2 -CVE-2020-9547 - [buster] - jackson-databind 2.9.8-3+deb10u2 -CVE-2020-9546 - [buster] - jackson-databind 2.9.8-3+deb10u2 -CVE-2020-8840 - [buster] - jackson-databind 2.9.8-3+deb10u2 -CVE-2020-14195 - [buster] - jackson-databind 2.9.8-3+deb10u2 -CVE-2020-14062 - [buster] - jackson-databind 2.9.8-3+deb10u2 -CVE-2020-14061 - [buster] - jackson-databind 2.9.8-3+deb10u2 -CVE-2020-14060 - [buster] - jackson-databind 2.9.8-3+deb10u2 -CVE-2020-11620 - [buster] - jackson-databind 2.9.8-3+deb10u2 -CVE-2020-11619 - [buster] - jackson-databind 2.9.8-3+deb10u2 -CVE-2020-11113 - [buster] - jackson-databind 2.9.8-3+deb10u2 -CVE-2020-11112 - [buster] - jackson-databind 2.9.8-3+deb10u2 -CVE-2020-11111 - [buster] - jackson-databind 2.9.8-3+deb10u2 -CVE-2020-10969 - [buster] - jackson-databind 2.9.8-3+deb10u2 -CVE-2020-10968 - [buster] - jackson-databind 2.9.8-3+deb10u2 -CVE-2020-10673 - [buster] - jackson-databind 2.9.8-3+deb10u2 -CVE-2020-10672 - [buster] - jackson-databind 2.9.8-3+deb10u2 -CVE-2019-20330 - [buster] - jackson-databind 2.9.8-3+deb10u2 -CVE-2019-17531 - [buster] - jackson-databind 2.9.8-3+deb10u2 -CVE-2019-17267 - [buster] - jackson-databind 2.9.8-3+deb10u2 CVE-2019-17566 [buster] - batik 1.10-2+deb10u1 CVE-2015-9542 -- cgit v1.2.3