Security vulnerability DSA-4004-1 for CVE-2017-7525, in which release is it fixed

[appDeveloper888]

Hi,

which release of fasterxml.jackson-databind has fixed the following security vulnerability ?

Best regards

Details:

Debian Security Advisory DSA-4037-1 security@debian.org
https://www.debian.org/security/ Sebastien Delafond
November 16, 2017 https://www.debian.org/security/faq

Package : jackson-databind
CVE ID : CVE-2017-15095

It was discovered that jackson-databind, a Java library used to parse JSON and other data formats, improperly validated user input prior to deserializing: following DSA-4004-1 for CVE-2017-7525, an additional set of classes was identified as unsafe for deserialization.
For the old stable distribution (jessie), this problem has been fixed in version 2.4.2-2+deb8u2.
For the stable distribution (stretch), this problem has been fixed in version 2.8.6-1+deb9u2.

[cowtowncoder]

Please have a look at issue #1599, if that might be what you are looking for.

I think for 2.8 branch it would be 2.8.9 (although it is recommended to use latest patch available, 2.8.10). All 2.9 versions have fix; 2.9.2 being recommended since it is the most recent patch available for that branch.

[DKumars]

hi ,
Is this fix available on 2.6.7.1 ? Please confirm as we are using old version.

[cowtowncoder]

@DKumars As per other issue, upgrade to a later version (2.8.11 or 2.9.4). Project does not have resources to backport fixes to older, closed branches.

[poverma]

Tried with jackson-databind 2.9.4 version for that upgraded scala minor version to 11.
but there is dependency issue
What we changed:
jackson:[[group: 'com.fasterxml.jackson.core', name:'jackson-core', version:'2.9.4'],
[group:'com.fasterxml.jackson.core', name:'jackson-annotations', version:'2.9.4'],
[group:'com.fasterxml.jackson.jaxrs', name:'jackson-jaxrs-json-provider', version:'2.9.4'],
[group:'com.fasterxml.jackson.jaxrs', name:'jackson-jaxrs-base', version:'2.9.4'],
[group:'com.fasterxml.jackson.core', name:'jackson-databind', version:'2.9.4'],
[group:'com.fasterxml.jackson.module', name:'jackson-module-scala_2.11', version:'2.9.4']],
Error:

What went wrong:
Execution failed for task ':apps:release:dependencies'.

Could not resolve all dependencies for configuration ':apps:release:resolve'.
A conflict was found between the following modules:
- org.scala-lang:scala-reflect:2.11.11
- org.scala-lang:scala-reflect:2.11.7

[cowtowncoder]

@poverma that sounds like a possible problem with jackson-module-scala then, or possibly build system you are using (wrt build definitions you use). Jackson does not depend on Scala for any other reason than scala module so it seems like you would need to enforce specific version of transitive dependency in build definitions.
If that does not work you may want to file an issue against jackson-module-scala and/or send a question on user mailing list (https://groups.google.com/forum/#!forum/jackson-user).

[DKumars]

Hi Tatu, The new vulnerability is occurred #1931. As we are using jackson-databind v2.9.4 in production which is threat to system but when we can expect 2.9.4.1 fix for this vulnerabilty. Please confirm us.

…

-Regards, Dharmendra

On Wed, Jan 31, 2018 at 10:10 PM, Tatu Saloranta ***@***.***> wrote: @DKumars <https://github.com/dkumars> As per other issue, upgrade to a later version. Project does not have resources to backport fixes to older, closed branches. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#1837 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AEamLuyEJCljltL1q4gaPhz5mjzsfmrkks5tQJdwgaJpZM4QoZDa> .

-- -regards, Dharmendra