-
-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Block one more gadget type (ehcache, CVE-2019-14379) #2387
Comments
Thank you; I'll have a look later tonight. |
This was assigned CVE-2019-14379 |
@cowtowncoder CVE lists 2.9.9.2 as fixing, 2.9.9.1 as affected... would this also affect 2.7.9.5 and 2.8.11.3, with 2.7.9.6 and 2.8.11.4 as fixing versions? |
@jdelta-RBS correct, I backported this to 2.7 and 2.8, released one last micro-patch (will now close those branches). Will add a note on description here. |
Avoids CVE-2019-14379 FasterXML/jackson-databind#2387 Avoids CVE-2019-14439 FasterXML/jackson-databind#2389 Signed-off-by: Ben Cox <1038350+ind1go@users.noreply.github.com>
Updated jackson-databind version to 2.9.9.2 which contains fix for: - [CVE-2019-14379](FasterXML/jackson-databind#2387) - [CVE-2019-14361 / CVE-2019-14439](FasterXML/jackson-databind#2389)
See FasterXML/jackson-databind#2387 for details. Change-Id: I3a8a416bba7e72861512531a3a83d818daf6fd5f Signed-off-by: Stephen Kitt <skitt@redhat.com> Signed-off-by: Robert Varga <robert.varga@pantheon.tech>
See FasterXML/jackson-databind#2387 for details. Change-Id: I3a8a416bba7e72861512531a3a83d818daf6fd5f Signed-off-by: Stephen Kitt <skitt@redhat.com> Signed-off-by: Robert Varga <robert.varga@pantheon.tech>
See FasterXML/jackson-databind#2387 for details. Change-Id: I3a8a416bba7e72861512531a3a83d818daf6fd5f Signed-off-by: Stephen Kitt <skitt@redhat.com> Signed-off-by: Robert Varga <robert.varga@pantheon.tech>
See FasterXML/jackson-databind#2387 for details. Change-Id: I3a8a416bba7e72861512531a3a83d818daf6fd5f Signed-off-by: Stephen Kitt <skitt@redhat.com> Signed-off-by: Robert Varga <robert.varga@pantheon.tech>
the updated bom bumps jackson-databind from 2.9.9 -> 2.9.9.3 see FasterXML/jackson-databind#2387
the updated bom bumps jackson-databind from 2.9.9 -> 2.9.9.3 see FasterXML/jackson-databind#2387
…nerabilities FasterXML/jackson-databind#2326: Block class for CVE-2019-12086 FasterXML/jackson-databind#2334: Block class for CVE-2019-12384 FasterXML/jackson-databind#2341: Block class for CVE-2019-12814 FasterXML/jackson-databind#2387: Block class for CVE-2019-14379 FasterXML/jackson-databind#2389: Block class for CVE-2019-14439
Another gadget type reported regarding a class of ehcache package.
See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.
Fixed in:
The text was updated successfully, but these errors were encountered: