An update for jackson-databind is now available for openEuler-20.03-LTS-SP1
Security Advisory
openeuler-security@openeuler.org
openEuler security committee
openEuler-SA-2021-1014
Final
1.0
1.0
2021-02-04
Initial
2021-02-04
2021-02-04
openEuler SA Tool V1.0
2021-02-04
jackson-databind security update
An update for jackson-databind is now available for openEuler-20.03-LTS-SP1.
The general-purpose data-binding functionality and tree-model for Jackson Data Processor. It builds on core streaming parser/generator package, and uses Jackson Annotations for configuration.\r\n\r\n
Security Fix(es):\r\n\r\n
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.(CVE-2020-35490)\r\n\r\n
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.(CVE-2020-35491)\r\n\r\n
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).(CVE-2020-35728)\r\n\r\n
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.(CVE-2020-36185)\r\n\r\n
An update for jackson-databind is now available for openEuler-20.03-LTS-SP1.\r\n\r\n
openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
High
jackson-databind
https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1014
https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-35490
https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-35491
https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-35728
https://openeuler.org/en/security/cve/detail.html?id=CVE-2020-36185
https://nvd.nist.gov/vuln/detail/CVE-2020-35490
https://nvd.nist.gov/vuln/detail/CVE-2020-35491
https://nvd.nist.gov/vuln/detail/CVE-2020-35728
https://nvd.nist.gov/vuln/detail/CVE-2020-36185
openEuler-20.03-LTS-SP1
jackson-databind-javadoc-2.9.8-6.oe1.noarch.rpm
jackson-databind-2.9.8-6.oe1.noarch.rpm
jackson-databind-2.9.8-6.oe1.src.rpm
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.PerUserPoolDataSource.
2021-02-04
CVE-2020-35490
openEuler-20.03-LTS-SP1
High
8.1
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
jackson-databind security update
2021-02-04
https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1014
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.datasources.SharedPoolDataSource.
2021-02-04
CVE-2020-35491
openEuler-20.03-LTS-SP1
High
8.1
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
jackson-databind security update
2021-02-04
https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1014
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).
2021-02-04
CVE-2020-35728
openEuler-20.03-LTS-SP1
High
8.1
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
jackson-databind security update
2021-02-04
https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1014
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource.
2021-02-04
CVE-2020-36185
openEuler-20.03-LTS-SP1
High
8.1
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
jackson-databind security update
2021-02-04
https://openeuler.org/en/security/safety-bulletin/detail.html?id=openEuler-SA-2021-1014