Block one more gadget type (com.pastdev.httpcomponents, CVE-2020-24750) #2798
Comments
cowtowncoder
added a commit
that referenced
this issue
Jul 21, 2020
|
Planning to release 2.9.10.6 around August 15 or so, depending on whether other block-list changes are reported (none pending as of now). |
cowtowncoder
changed the title
|
2.9.10.6 released, usable via |
cowtowncoder
changed the title
qxo
added a commit
to qxo/jackson-databind
that referenced
this issue
Sep 21, 2020
…L#2659 FasterXML#2660 FasterXML#2662 FasterXML#2664 FasterXML#2666 FasterXML#2670 FasterXML#2680 FasterXML#2682 FasterXML#2688 FasterXML#2698 FasterXML#2704 FasterXML#2765 FasterXML#2798 FasterXML#2814 FasterXML#2826 FasterXML#2827 FasterXML#2854 1. generated diff CVE diff git diff ad5a630 -- src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java 2. cleanup the diff ,just remain the CVE change 3. apply the diff 4. check and make sure only commit the AutoType CVE change. ``` PR_LIST=$(git log1 -n 17 ad5a630 -- src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java | awk -F'[ ,]+' '{for(i=1;i<=NF;i++){a=$(i);if(match(a,/#[0-9]+/)){print a;}}}' | sort | uniq);echo "$PR_LIST" | wc -l echo $PR_LIST ```
cowtowncoder
pushed a commit
that referenced
this issue
Sep 22, 2020
#2670 #2680 #2682 #2688 #2698 #2704 #2765 #2798 #2814 #2826 #2827 #2854 (#2858) 1. generated diff CVE diff git diff ad5a630 -- src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java 2. cleanup the diff ,just remain the CVE change 3. apply the diff 4. check and make sure only commit the AutoType CVE change. ``` PR_LIST=$(git log1 -n 17 ad5a630 -- src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java | awk -F'[ ,]+' '{for(i=1;i<=NF;i++){a=$(i);if(match(a,/#[0-9]+/)){print a;}}}' | sort | uniq);echo "$PR_LIST" | wc -l echo $PR_LIST ```
joschi
added a commit
to dropwizard/metrics
that referenced
this issue
Nov 11, 2020
https://nvd.nist.gov/vuln/detail/CVE-2020-24750 https://nvd.nist.gov/vuln/detail/CVE-2020-24616 Release notes: https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9#micro-patches > jackson-databind 2.9.10.6 (24-Aug-2020) -- with jackson-bom version 2.9.10.20200824 > > * FasterXML/jackson-databind#2798: Block one more gadget type (com.pastdev.httpcomponents, CVE-2020-24750 > * FasterXML/jackson-databind#2814: Block one more gadget type (Anteros-DBCP, CVE-2020-24616) > * FasterXML/jackson-databind#2826: Block one more gadget type (com.nqadmin.rowset) > * FasterXML/jackson-databind#2827: Block one more gadget type (org.arrahtec:profiler-core)
arteam
pushed a commit
to dropwizard/metrics
that referenced
this issue
Nov 11, 2020
https://nvd.nist.gov/vuln/detail/CVE-2020-24750 https://nvd.nist.gov/vuln/detail/CVE-2020-24616 Release notes: https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9#micro-patches > jackson-databind 2.9.10.6 (24-Aug-2020) -- with jackson-bom version 2.9.10.20200824 > > * FasterXML/jackson-databind#2798: Block one more gadget type (com.pastdev.httpcomponents, CVE-2020-24750 > * FasterXML/jackson-databind#2814: Block one more gadget type (Anteros-DBCP, CVE-2020-24616) > * FasterXML/jackson-databind#2826: Block one more gadget type (com.nqadmin.rowset) > * FasterXML/jackson-databind#2827: Block one more gadget type (org.arrahtec:profiler-core)
tkanafa-atlassian
added a commit
to atlassian/jackson-1
that referenced
this issue
Apr 20, 2021
tkanafa-atlassian
added a commit
to atlassian/jackson-1
that referenced
this issue
Apr 20, 2021
This was referenced Apr 28, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Another gadget type(s) reported regarding class(es) of
com.pastdev.httpcomponents:configuration. library.See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.
Mitre id: CVE-2020-24750
Reporter(s): Al1ex@knownsec
Fix is included in:
jackson-bomversion2.9.10.20200824)The text was updated successfully, but these errors were encountered: