-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

====================================================================                   Red Hat Security Advisory

Synopsis:          Important: rh-maven35-jackson-databind security update
Advisory ID:       RHSA-2020:1523-01
Product:           Red Hat Software Collections
Advisory URL:      https://access.redhat.com/errata/RHSA-2020:1523
Issue date:        2020-04-21
Cross references:  1822587 1822174 1822932 1822937 1822927
CVE Names:         CVE-2020-10968 CVE-2020-10969 CVE-2020-11111 
                   CVE-2020-11112 CVE-2020-11113 
====================================================================
1. Summary:

An update for rh-maven35-jackson-databind is now available for Red Hat
Software Collections.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5) - noarch
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6) - noarch
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.7) - noarch
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch

3. Description:

The jackson-databind package provides general data-binding functionality
for Jackson, which works on top of Jackson core streaming API.

Security Fix(es):

* jackson-databind: Serialization gadgets in
org.aoju.bus.proxy.provider.*.RmiProvider (CVE-2020-10968)

* jackson-databind: Serialization gadgets in javax.swing.JEditorPane
(CVE-2020-10969)

* jackson-databind: Serialization gadgets in
org.apache.activemq.jms.pool.XaPooledConnectionFactory (CVE-2020-11111)

* jackson-databind: Serialization gadgets in
org.apache.commons.proxy.provider.remoting.RmiProvider (CVE-2020-11112)

* jackson-databind: Serialization gadgets in
org.apache.openjpa.ee.WASRegistryManagedRuntime (CVE-2020-11113)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1819208 - CVE-2020-10968 jackson-databind: Serialization gadgets in org.aoju.bus.proxy.provider.*.RmiProvider
1819212 - CVE-2020-10969 jackson-databind: Serialization gadgets in javax.swing.JEditorPane
1821304 - CVE-2020-11111 jackson-databind: Serialization gadgets in org.apache.activemq.jms.pool.XaPooledConnectionFactory
1821311 - CVE-2020-11112 jackson-databind: Serialization gadgets in org.apache.commons.proxy.provider.remoting.RmiProvider
1821315 - CVE-2020-11113 jackson-databind: Serialization gadgets in org.apache.openjpa.ee.WASRegistryManagedRuntime

6. Package List:

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):

Source:
rh-maven35-jackson-databind-2.7.6-2.9.el7.src.rpm

noarch:
rh-maven35-jackson-databind-2.7.6-2.9.el7.noarch.rpm
rh-maven35-jackson-databind-javadoc-2.7.6-2.9.el7.noarch.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):

Source:
rh-maven35-jackson-databind-2.7.6-2.9.el7.src.rpm

noarch:
rh-maven35-jackson-databind-2.7.6-2.9.el7.noarch.rpm
rh-maven35-jackson-databind-javadoc-2.7.6-2.9.el7.noarch.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5):

Source:
rh-maven35-jackson-databind-2.7.6-2.9.el7.src.rpm

noarch:
rh-maven35-jackson-databind-2.7.6-2.9.el7.noarch.rpm
rh-maven35-jackson-databind-javadoc-2.7.6-2.9.el7.noarch.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6):

Source:
rh-maven35-jackson-databind-2.7.6-2.9.el7.src.rpm

noarch:
rh-maven35-jackson-databind-2.7.6-2.9.el7.noarch.rpm
rh-maven35-jackson-databind-javadoc-2.7.6-2.9.el7.noarch.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.7):

Source:
rh-maven35-jackson-databind-2.7.6-2.9.el7.src.rpm

noarch:
rh-maven35-jackson-databind-2.7.6-2.9.el7.noarch.rpm
rh-maven35-jackson-databind-javadoc-2.7.6-2.9.el7.noarch.rpm

Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):

Source:
rh-maven35-jackson-databind-2.7.6-2.9.el7.src.rpm

noarch:
rh-maven35-jackson-databind-2.7.6-2.9.el7.noarch.rpm
rh-maven35-jackson-databind-javadoc-2.7.6-2.9.el7.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2020-10968
https://access.redhat.com/security/cve/CVE-2020-10969
https://access.redhat.com/security/cve/CVE-2020-11111
https://access.redhat.com/security/cve/CVE-2020-11112
https://access.redhat.com/security/cve/CVE-2020-11113
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBXp7oOtzjgjWX9erEAQghsBAAk6mN7QOctoM4gV9BDkYybnwjFrgzSgQg
LahdpBV7QmHQ/6rdhSlbE8sGCdrUwLJy1GvRS1PzvUY2IzLf8c0rtzcHrIiD1wWB
N5kEBWiNgHOpuU4etwbR9gGsY7hhSvyxzTyRhHU36UQJqyNoc95DfbokqeAf8Ggp
dfw20J8hsCkQ6OkvDCM6T9fY7jcbHdiD4jx8WSMn3bQS3o8zRf1JJlMPOqLnHM+J
998+RIzoJYqqdL7XNWPMopvR1yps2Xx+NTL4+2Vg8e+2KVxO+ksIu3EqRsCRD0wT
22iPNX3r8ETjWcfLGw0Imvc8RiRsCL7L4oa+cbIpnBdvsRr/yW8IYmvJmHwFTZlK
+vIyYPAfSCLuHSktXEwZ9WDMeFsJfZr+zdVZ5MmOgvMAIqg+0RSE3VBlzmuAOMbv
yNz6SPODozvMDPmW1OwLhtGsu1CigORIuTRcNSYwTkXVoAxFhWXK0sHuxc3h1ne0
x38Tgk1grF7xbBSfvJwFn0MfBhufg4+iUuFhte7mtuSu3gvjQ/qt01Oo11p8cW2m
g6lX1NGEsUpEONf0NS+1hFSxWB4ex7ln98e5AqNWtLHt3S5OHzI67+/4dgl5xF7J
PdLv4j8b1AqTV8wRX6pK59OeslYcPhYdMWHEbMSkQJ3WZFOILkyTm6HWer9kl3Yt
8yoMyLl6FBM=n1if
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2020-1523:01 Important: rh-maven35-jackson-databind security

An update for rh-maven35-jackson-databind is now available for Red Hat Software Collections

Summary

The jackson-databind package provides general data-binding functionality for Jackson, which works on top of Jackson core streaming API.
Security Fix(es):
* jackson-databind: Serialization gadgets in org.aoju.bus.proxy.provider.*.RmiProvider (CVE-2020-10968)
* jackson-databind: Serialization gadgets in javax.swing.JEditorPane (CVE-2020-10969)
* jackson-databind: Serialization gadgets in org.apache.activemq.jms.pool.XaPooledConnectionFactory (CVE-2020-11111)
* jackson-databind: Serialization gadgets in org.apache.commons.proxy.provider.remoting.RmiProvider (CVE-2020-11112)
* jackson-databind: Serialization gadgets in org.apache.openjpa.ee.WASRegistryManagedRuntime (CVE-2020-11113)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.



Summary


Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:
https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2020-10968 https://access.redhat.com/security/cve/CVE-2020-10969 https://access.redhat.com/security/cve/CVE-2020-11111 https://access.redhat.com/security/cve/CVE-2020-11112 https://access.redhat.com/security/cve/CVE-2020-11113 https://access.redhat.com/security/updates/classification/#important

Package List

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):
Source: rh-maven35-jackson-databind-2.7.6-2.9.el7.src.rpm
noarch: rh-maven35-jackson-databind-2.7.6-2.9.el7.noarch.rpm rh-maven35-jackson-databind-javadoc-2.7.6-2.9.el7.noarch.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7):
Source: rh-maven35-jackson-databind-2.7.6-2.9.el7.src.rpm
noarch: rh-maven35-jackson-databind-2.7.6-2.9.el7.noarch.rpm rh-maven35-jackson-databind-javadoc-2.7.6-2.9.el7.noarch.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5):
Source: rh-maven35-jackson-databind-2.7.6-2.9.el7.src.rpm
noarch: rh-maven35-jackson-databind-2.7.6-2.9.el7.noarch.rpm rh-maven35-jackson-databind-javadoc-2.7.6-2.9.el7.noarch.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6):
Source: rh-maven35-jackson-databind-2.7.6-2.9.el7.src.rpm
noarch: rh-maven35-jackson-databind-2.7.6-2.9.el7.noarch.rpm rh-maven35-jackson-databind-javadoc-2.7.6-2.9.el7.noarch.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.7):
Source: rh-maven35-jackson-databind-2.7.6-2.9.el7.src.rpm
noarch: rh-maven35-jackson-databind-2.7.6-2.9.el7.noarch.rpm rh-maven35-jackson-databind-javadoc-2.7.6-2.9.el7.noarch.rpm
Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7):
Source: rh-maven35-jackson-databind-2.7.6-2.9.el7.src.rpm
noarch: rh-maven35-jackson-databind-2.7.6-2.9.el7.noarch.rpm rh-maven35-jackson-databind-javadoc-2.7.6-2.9.el7.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/


Severity
Advisory ID: RHSA-2020:1523-01
Product: Red Hat Software Collections
Advisory URL: https://access.redhat.com/errata/RHSA-2020:1523
Issued Date: : 2020-04-21
Cross references: 1822587 1822174 1822932 1822937 1822927
CVE Names: CVE-2020-10968 CVE-2020-10969 CVE-2020-11111 CVE-2020-11112 CVE-2020-11113

Topic

An update for rh-maven35-jackson-databind is now available for Red HatSoftware Collections.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.


Topic


 

Relevant Releases Architectures

Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7) - noarch

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5) - noarch

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.6) - noarch

Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.7) - noarch

Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7) - noarch


Bugs Fixed

1819208 - CVE-2020-10968 jackson-databind: Serialization gadgets in org.aoju.bus.proxy.provider.*.RmiProvider

1819212 - CVE-2020-10969 jackson-databind: Serialization gadgets in javax.swing.JEditorPane

1821304 - CVE-2020-11111 jackson-databind: Serialization gadgets in org.apache.activemq.jms.pool.XaPooledConnectionFactory

1821311 - CVE-2020-11112 jackson-databind: Serialization gadgets in org.apache.commons.proxy.provider.remoting.RmiProvider

1821315 - CVE-2020-11113 jackson-databind: Serialization gadgets in org.apache.openjpa.ee.WASRegistryManagedRuntime


Related News

The End of the Road for Linux 6.11: A Call to Upgrade to Kernel 6.12
3 - 5 min read
The Linux kernel community recently issued an EOL announcement regarding the 6.11 kernel series, urging sysadmins to upgrade quickly to 6.12 . This
A Linux Admin
3 - 6 min read
As 2025 approaches, we Linux admins are facing new and often unseen cloud-native security obstacles. While skilled at mitigating known risks,
Leveraging Insights from the Linux Foundation
3 - 5 min read
The Linux Foundation's recent Census III report provides critical insights for Linux administrators, information security professionals, and anyone
Chrome 131 Released: Emergency Security Update Fixes Over a Dozen Significant Vulns
3 - 6 min read
Google recently unveiled a critical security update to their popular web browser, Google Chrome, addressing over a dozen significant security
From Wayland Fixes to Security Boosts: Examining Qt 6.8.1
3 - 6 min read
The recent Qt 6.8.1 release brings significant updates and improvements, strengthening its reputation as a secure and reliable application
Exploring Arch Linux 2024.12.01: Security Implications & Notable Enhancements for Linux Admins
3 - 6 min read
The Arch Linux 2024.12.01 ISO release marks an impressive milestone, offering cutting-edge updates that enhance functionality, streamline
Deck the Halls with Enhanced Security: Linux Kernel 6.13
3 - 5 min read
As Linux admins and infosec professionals prepare for the holiday season, there's much cause for celebration this year! Linus Torvalds recently made
Lessons from Bootkitty: Securing Linux Systems Against UEFI Intrusions
3 - 5 min read
New Linux security threats mark critical junctures that challenge existing policies and test security protocols to their limit. One such milestone

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved