Fedora 29: 2019-df57551f6d Moderate: jackson-dataformat-xml SSRF Fix

Data format extension for Jackson ()

to offer alternative support for serializing POJOs as XML and

deserializing XML as POJOs. Support implemented on top of Stax API

(javax.xml.stream), by implementing core Jackson Streaming API types

like JsonGenerator, JsonParser and JsonFactory. Some data-binding types

overridden as well (ObjectMapper sub-classed as XmlMapper).

Fixes CVE-2018-14718 CVE-2018-14719 CVE-2018-19360 CVE-2018-19361 CVE-2018-19362

CVE-2018-12022 CVE-2018-12023 CVE-2018-14720 CVE-2018-14721 and CVE-2016-7051.

* Wed Feb 6 2019 Mat Booth - 2.9.8-1

- Update to latest upstream release

* Fri Feb 1 2019 Fedora Release Engineering - 2.9.4-4

- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild

[ 1 ] Bug #1555900 - jackson-datatype-jdk8: FTBFS in F28

https://bugzilla.redhat.com/show_bug.cgi?id=1555900

[ 2 ] Bug #1604397 - jackson-datatype-jdk8: FTBFS in Fedora rawhide

https://bugzilla.redhat.com/show_bug.cgi?id=1604397

[ 3 ] Bug #1671098 - CVE-2018-12022 jackson-databind: improper polymorphic deserialization of types from Jodd-db library [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1671098

[ 4 ] Bug #1666490 - CVE-2018-19362 jackson-databind: improper polymorphic deserialization in jboss-common-core class [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1666490

[ 5 ] Bug #1666486 - CVE-2018-19361 jackson-databind: improper polymorphic deserialization in openjpa class [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1666486

[ 6 ] Bug #1666483 - CVE-2018-19360 jackson-databind: improper polymorphic deserialization in axis2-transport-jms class [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1666483

[ 7 ] Bug #1666429 - CVE-2018-14721 jackson-databind: server-side request forgery (SSRF) in axis2-jaxws class [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1666429

[ 8 ] Bug #1666424 - CVE-2018-14720 jackson-databind: exfiltration/XXE in some JDK classes [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1666424

[ 9 ] Bug #1666419 - CVE-2018-14719 jackson-databind: arbitrary code execution in blaze-ds-opt and blaze-ds-core classes [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1666419

[ 10 ] Bug #1666416 - CVE-2018-14718 jackson-databind: arbitrary code execution in slf4j-ext class [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1666416

[ 11 ] Bug #1380206 - CVE-2016-7051 jackson-dataformat-xml: XmlMapper is vulnerable to SSRF attack [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1380206

[ 12 ] Bug #1672925 - bouncycastle-1.61 is available

https://bugzilla.redhat.com/show_bug.cgi?id=1672925

[ 13 ] Bug #1667118 - CVE-2018-1000873 jackson-datatype-jsr310: jackson-modules-java8: DoS due to an Improper Input Validation [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1667118

[ 14 ] Bug #1671099 - CVE-2018-12023 jackson-databind: improper polymorphic deserialization of types from Oracle JDBC driver [fedora-all]

https://bugzilla.redhat.com/show_bug.cgi?id=1671099

su -c 'dnf upgrade --advisory FEDORA-2019-df57551f6d' at the command

line. For more information, refer to the dnf documentation available at

http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

All packages are signed with the Fedora Project GPG key. More details on the

GPG keys used by the Fedora Project can be found at

https://fedoraproject.org/security/

package-announce mailing list -- package-announce@lists.fedoraproject.org

To unsubscribe send an email to package-announce-leave@lists.fedoraproject.org

Fedora Code of Conduct: List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

List Archives: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org