5.2.4NVD CVE Checked2019-11-21T13:01:40NVD CVE Modified2019-11-21T07:03:50java-demo-projectcom.ysoft.security java-demo-project1.0-SNAPSHOT2020-01-28T12:41:14.891858ZThis report contains data retrieved from the National Vulnerability Database: https://nvd.nist.gov, NPM Public Advisories: https://www.npmjs.com/advisories, and the RetireJS community.commons-collections-3.2.1.jar/home/user/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar13bc641afd7fd95e09b260f69c1e4c91761ea405b9b37ced573d2df0d1e3a4e0f9edc66887363a4c94eaabeefd8b930cb059f66b64c9f7d632862f23de3012da7660047bTypes that extend and augment the Java Collections Framework.http://www.apache.org/licenses/LICENSE-2.0.txtjava-demo-project:compileManifestImplementation-Vendor-Idorg.apacheManifestspecification-vendorThe Apache Software FoundationManifestImplementation-VendorThe Apache Software FoundationpomnameCommons CollectionsManifestbundle-docurlhttp://commons.apache.org/collections/pomartifactidcommons-collectionspomparent-groupidorg.apache.commonspomparent-artifactidcommons-parentfilenamecommons-collectionsjarpackage nameapacheManifestbundle-symbolicnameorg.apache.commons.collectionspomurlhttp://commons.apache.org/collections/jarpackage namecommonsjarpackage namecollectionspomgroupidcommons-collectionspomnameCommons CollectionsManifestbundle-docurlhttp://commons.apache.org/collections/ManifestImplementation-TitleCommons Collectionspomparent-groupidorg.apache.commonspomparent-artifactidcommons-parentManifestBundle-NameCommons Collectionspomartifactidcommons-collectionsfilenamecommons-collectionsManifestspecification-titleCommons Collectionsjarpackage nameapacheManifestbundle-symbolicnameorg.apache.commons.collectionsjarpackage namecommonspomurlhttp://commons.apache.org/collections/jarpackage namecollectionspomgroupidcommons-collectionsManifestImplementation-Version3.2.1fileversion3.2.1ManifestBundle-Version3.2.1pomversion3.2.1pomparent-version3.2.1pkg:maven/commons-collections/commons-collections@3.2.1https://ossindex.sonatype.org/component/pkg:maven/commons-collections/commons-collections@3.2.1pkg:maven/commons-collections/commons-collections@3.2.1https://ossindex.sonatype.org/component/pkg:maven/commons-collections/commons-collections@3.2.1CVE-2015-6420HIGH7.5NETWORKLOWNONEPARTIALPARTIALPARTIALHIGHCWE-502Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.CONFIRMhttps://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917BIDhttp://www.securityfocus.com/bid/7887278872CONFIRMhttp://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlhttp://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.htmlCISCOhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization20151209 Vulnerability in Java Deserialization Affecting Cisco ProductsMISChttps://www.tenable.com/security/research/tra-2017-14https://www.tenable.com/security/research/tra-2017-14CONFIRMhttps://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722CERT-VNhttps://www.kb.cert.org/vuls/id/581311VU#581311MISChttps://www.kb.cert.org/vuls/id/576313https://www.kb.cert.org/vuls/id/576313OSSINDEXhttps://ossindex.sonatype.org/vuln/ac157388-2d0e-4c78-b3f4-033572d19286[CVE-2015-6420] Serialized-object interfaces in certain Cisco Collaboration and Social Media; En...MISChttps://www.tenable.com/security/research/tra-2017-23https://www.tenable.com/security/research/tra-2017-23cpe:2.3:a:apache:commons_collections:4.0:*:*:*:*:*:*:*cpe:2.3:a:apache:commons_collections:*:*:*:*:*:*:*:*CVE-2017-15708CRITICAL7.5NETWORKLOWNONEPARTIALPARTIALPARTIALHIGH9.8NETWORKLOWNONENONEUNCHANGEDHIGHHIGHHIGHCRITICALCWE-74In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.MLISThttps://lists.apache.org/thread.html/77f2accf240d25d91b47033e2f8ebec84ffbc6e6627112b2f98b66c9@%3Cdev.synapse.apache.org%3E[dev] 20171210 [CVE-2017-15708] Apache Synapse Remote Code Execution VulnerabilityBIDhttp://www.securityfocus.com/bid/102154102154OSSINDEXhttps://ossindex.sonatype.org/vuln/9b28a5d2-9be7-4414-a59b-98e25e4c608a[CVE-2017-15708] In Apache Synapse, by default no authentication is required for Java Remote Meth...cpe:2.3:a:apache:synapse:1.1.1:*:*:*:*:*:*:*cpe:2.3:a:apache:synapse:1.1:*:*:*:*:*:*:*cpe:2.3:a:apache:commons_collections:*:*:*:*:*:*:*:*cpe:2.3:a:apache:synapse:1.1.2:*:*:*:*:*:*:*cpe:2.3:a:apache:synapse:1.0:*:*:*:*:*:*:*cpe:2.3:a:apache:synapse:2.1.0:*:*:*:*:*:*:*cpe:2.3:a:apache:synapse:2.0.0:*:*:*:*:*:*:*cpe:2.3:a:apache:synapse:3.0.0:*:*:*:*:*:*:*cpe:2.3:a:apache:synapse:1.2:*:*:*:*:*:*:*Remote code execution0.0> It was found that a flaw in commons-collection library allowed remote code execution wherever deserialization occurs. While JBoss doesnt expose the JMXInvokerServlet by default, other interfaces where deserialization occur might be vulnerable. > > -- [redhat.com](https://bugzilla.redhat.com/show_bug.cgi?id=1279330)OSSINDEXhttps://ossindex.sonatype.org/vuln/ed5505cd-2b5b-4ca6-ab51-28ca91263b4eRemote code executioncpe:2.3:a:commons-collections:commons-collections:3.2.1:*:*:*:*:*:*:*commons-cli-1.4.jar/home/user/.m2/repository/commons-cli/commons-cli/1.4/commons-cli-1.4.jarc966d7e03507c834d5b09b848560174ec51c00206bb913cd8612b24abd9fa98ae89719b1fd3c7c9545a9cdb2051d1f9155c4f76b1e4ac5a57304404a6eedb578ffba7328 Apache Commons CLI provides a simple API for presenting, processing and validating a command line interface. https://www.apache.org/licenses/LICENSE-2.0.txtjava-demo-project:compileManifestImplementation-Vendor-Idorg.apacheManifestspecification-vendorThe Apache Software FoundationpomnameApache Commons CLIManifestImplementation-VendorThe Apache Software Foundationpomgroupidcommons-cliManifestrequire-capabilityosgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.5))"pomurlhttp://commons.apache.org/proper/commons-cli/pomparent-groupidorg.apache.commonspomparent-artifactidcommons-parentManifestimplementation-urlhttp://commons.apache.org/proper/commons-cli/jarpackage nameclijarpackage nameapachepomartifactidcommons-cliManifestimplementation-buildtags/cli-1.4-RC1@r1786159; 2017-03-09 13:01:35+0000jarpackage namecommonsfilenamecommons-cliManifestbundle-symbolicnameorg.apache.commons.cliManifestbundle-docurlhttp://commons.apache.org/proper/commons-cli/pomgroupidcommons-clipomnameApache Commons CLIManifestrequire-capabilityosgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.5))"pomurlhttp://commons.apache.org/proper/commons-cli/pomparent-groupidorg.apache.commonspomparent-artifactidcommons-parentManifestimplementation-urlhttp://commons.apache.org/proper/commons-cli/jarpackage namecliManifestBundle-NameApache Commons CLIjarpackage nameapacheManifestspecification-titleApache Commons CLIManifestimplementation-buildtags/cli-1.4-RC1@r1786159; 2017-03-09 13:01:35+0000jarpackage namecommonspomartifactidcommons-clifilenamecommons-cliManifestImplementation-TitleApache Commons CLIManifestbundle-symbolicnameorg.apache.commons.cliManifestbundle-docurlhttp://commons.apache.org/proper/commons-cli/pomparent-version1.4pomversion1.4ManifestImplementation-Version1.4fileversion1.4pkg:maven/commons-cli/commons-cli@1.4https://ossindex.sonatype.org/component/pkg:maven/commons-cli/commons-cli@1.4pkg:maven/commons-cli/commons-cli@1.4https://ossindex.sonatype.org/component/pkg:maven/commons-cli/commons-cli@1.4jackson-databind-2.9.7.jar/home/user/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.7/jackson-databind-2.9.7.jar2916db8b36f4078f07dd9580bccec6c2e6faad47abd3179666e89068485a1b88a195ceb7675376decfc070b039d2be773a97002f1ee1e1346d95bd99feee0d56683a92bfGeneral data-binding functionality for Jackson: works on core streaming APIhttp://www.apache.org/licenses/LICENSE-2.0.txtjava-demo-project:compilepomgroupidcom.fasterxml.jackson.coreManifestImplementation-VendorFasterXMLjarpackage namefasterxmlpomnamejackson-databindjarpackage namejacksonpomurlhttp://github.com/FasterXML/jacksonfilenamejackson-databindpomparent-groupidcom.fasterxml.jacksonpomartifactidjackson-databindManifestimplementation-build-date2018-09-19 02:48:44+0000jarpackage namedatabindpomgroupidfasterxml.jackson.coreManifestImplementation-Vendor-Idcom.fasterxml.jackson.coreManifestbundle-docurlhttp://github.com/FasterXML/jacksonManifestrequire-capabilityosgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"Manifestautomatic-module-namecom.fasterxml.jackson.databindManifestbundle-symbolicnamecom.fasterxml.jackson.core.jackson-databindpomparent-artifactidjackson-baseManifestspecification-vendorFasterXMLjarpackage namefasterxmlpomnamejackson-databindManifestspecification-titlejackson-databindjarpackage namejacksonpomurlhttp://github.com/FasterXML/jacksonpomartifactidjackson-databindfilenamejackson-databindManifestImplementation-Titlejackson-databindpomparent-groupidcom.fasterxml.jacksonpomgroupidfasterxml.jackson.coreManifestimplementation-build-date2018-09-19 02:48:44+0000jarpackage namedatabindManifestbundle-docurlhttp://github.com/FasterXML/jacksonManifestBundle-Namejackson-databindManifestrequire-capabilityosgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.7))"Manifestautomatic-module-namecom.fasterxml.jackson.databindManifestbundle-symbolicnamecom.fasterxml.jackson.core.jackson-databindpomparent-artifactidjackson-baseManifestImplementation-Version2.9.7ManifestBundle-Version2.9.7pomversion2.9.7fileversion2.9.7pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.7https://ossindex.sonatype.org/component/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.7pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.7https://ossindex.sonatype.org/component/pkg:maven/com.fasterxml.jackson.core/jackson-databind@2.9.7CVE-2018-1000873MEDIUM4.3NETWORKMEDIUMNONENONENONEPARTIALMEDIUM6.5NETWORKLOWNONEREQUIREDUNCHANGEDNONENONEHIGHMEDIUMCWE-20Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.MLISThttps://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilitiesMLISThttps://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilitiesMISChttps://github.com/FasterXML/jackson-modules-java8/issues/90https://github.com/FasterXML/jackson-modules-java8/issues/90MLISThttps://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E[nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.htmlMLISThttps://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilitiesMLISThttps://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E[pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1CONFIRMhttps://bugzilla.redhat.com/show_bug.cgi?id=1665601https://bugzilla.redhat.com/show_bug.cgi?id=1665601MISChttps://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlhttps://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlMISChttps://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlMISChttps://github.com/FasterXML/jackson-modules-java8/pull/87https://github.com/FasterXML/jackson-modules-java8/pull/87OSSINDEXhttps://ossindex.sonatype.org/vuln/292c11e9-cf66-4d76-aaf7-b63a091f8891[CVE-2018-1000873] Improper Input Validationcpe:2.3:a:redhat:jboss_enterprise_application_platform:7.0:*:*:*:*:*:*:*cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*CVE-2018-19360CRITICAL7.5NETWORKLOWNONEPARTIALPARTIALPARTIALHIGH9.8NETWORKLOWNONENONEUNCHANGEDHIGHHIGHHIGHCRITICALCWE-502FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.REDHAThttps://access.redhat.com/errata/RHSA-2019:3149RHSA-2019:3149MLISThttps://lists.debian.org/debian-lts-announce/2019/03/msg00005.html[debian-lts-announce] 20190304 [SECURITY] [DLA 1703-1] jackson-databind security updateMLISThttps://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c@%3Ccommits.pulsar.apache.org%3E[pulsar-commits] 20190329 [GitHub] [pulsar] massakam opened a new pull request #3938: Upgrade third party libraries with security vulnerabilitiesMLISThttps://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilitiesMLISThttps://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3@%3Cdevnull.infra.apache.org%3E[infra-devnull] 20190329 [GitHub] [pulsar] massakam opened pull request #3938: Upgrade third party libraries with security vulnerabilitiesBIDhttp://www.securityfocus.com/bid/107985107985REDHAThttps://access.redhat.com/errata/RHSA-2019:1822RHSA-2019:1822MISChttps://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlREDHAThttps://access.redhat.com/errata/RHSA-2019:1823RHSA-2019:1823REDHAThttps://access.redhat.com/errata/RHSA-2019:2858RHSA-2019:2858CONFIRMhttps://github.com/FasterXML/jackson-databind/issues/2186https://github.com/FasterXML/jackson-databind/issues/2186REDHAThttps://access.redhat.com/errata/RHSA-2019:2804RHSA-2019:2804MISChttps://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlhttps://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlCONFIRMhttps://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2bhttps://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2bCONFIRMhttps://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8REDHAThttps://access.redhat.com/errata/RHSA-2019:1797RHSA-2019:1797DEBIANhttps://www.debian.org/security/2019/dsa-4452DSA-4452MLISThttps://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E[nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.htmlOSSINDEXhttps://ossindex.sonatype.org/vuln/dc5c85aa-ec0c-42b9-a11b-935184041ee7[CVE-2018-19360] Deserialization of Untrusted DataMLISThttps://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E[pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1MISChttps://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlhttps://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlREDHAThttps://access.redhat.com/errata/RHSA-2019:3140RHSA-2019:3140REDHAThttps://access.redhat.com/errata/RHSA-2019:1782RHSA-2019:1782BUGTRAQhttps://seclists.org/bugtraq/2019/May/6820190527 [SECURITY] [DSA 4452-1] jackson-databind security updateREDHAThttps://access.redhat.com/errata/RHSA-2019:0877RHSA-2019:0877MLISThttps://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilitiesREDHAThttps://access.redhat.com/errata/RHBA-2019:0959RHBA-2019:0959REDHAThttps://access.redhat.com/errata/RHSA-2019:0782RHSA-2019:0782CONFIRMhttps://issues.apache.org/jira/browse/TINKERPOP-2121https://issues.apache.org/jira/browse/TINKERPOP-2121MLISThttps://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilitiesCONFIRMhttps://security.netapp.com/advisory/ntap-20190530-0003/https://security.netapp.com/advisory/ntap-20190530-0003/REDHAThttps://access.redhat.com/errata/RHSA-2019:3892RHSA-2019:3892REDHAThttps://access.redhat.com/errata/RHSA-2019:3002RHSA-2019:3002cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*cpe:2.3:a:oracle:retail_workforce_management_software:1.60.9.0.0:*:*:*:*:*:*:*cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8:*:*:*:*:*:*:*cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*cpe:2.3:a:redhat:jboss_bpm_suite:6.4.11:*:*:*:*:*:*:*cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.1:*:*:*:*:*:*:*cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.1:*:*:*:*:*:*:*cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*cpe:2.3:a:redhat:automation_manager:7.3.1:*:*:*:*:*:*:*cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2:*:*:*:*:*:*:*cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.2:*:*:*:*:*:*:*cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0:*:*:*:*:*:*:*cpe:2.3:a:redhat:decision_manager:7.3.1:*:*:*:*:*:*:*cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*cpe:2.3:a:redhat:jboss_brms:6.4.10:*:*:*:*:*:*:*cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*CVE-2018-19361CRITICAL7.5NETWORKLOWNONEPARTIALPARTIALPARTIALHIGH9.8NETWORKLOWNONENONEUNCHANGEDHIGHHIGHHIGHCRITICALCWE-502FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.REDHAThttps://access.redhat.com/errata/RHSA-2019:3149RHSA-2019:3149MLISThttps://lists.debian.org/debian-lts-announce/2019/03/msg00005.html[debian-lts-announce] 20190304 [SECURITY] [DLA 1703-1] jackson-databind security updateMLISThttps://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c@%3Ccommits.pulsar.apache.org%3E[pulsar-commits] 20190329 [GitHub] [pulsar] massakam opened a new pull request #3938: Upgrade third party libraries with security vulnerabilitiesMLISThttps://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilitiesOSSINDEXhttps://ossindex.sonatype.org/vuln/5a041483-5b69-47f8-b8a9-e631830ceaf9[CVE-2018-19361] Deserialization of Untrusted DataMLISThttps://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3@%3Cdevnull.infra.apache.org%3E[infra-devnull] 20190329 [GitHub] [pulsar] massakam opened pull request #3938: Upgrade third party libraries with security vulnerabilitiesBIDhttp://www.securityfocus.com/bid/107985107985REDHAThttps://access.redhat.com/errata/RHSA-2019:1822RHSA-2019:1822MISChttps://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlREDHAThttps://access.redhat.com/errata/RHSA-2019:1823RHSA-2019:1823REDHAThttps://access.redhat.com/errata/RHSA-2019:2858RHSA-2019:2858CONFIRMhttps://github.com/FasterXML/jackson-databind/issues/2186https://github.com/FasterXML/jackson-databind/issues/2186REDHAThttps://access.redhat.com/errata/RHSA-2019:2804RHSA-2019:2804MISChttps://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlhttps://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlCONFIRMhttps://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2bhttps://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2bCONFIRMhttps://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8REDHAThttps://access.redhat.com/errata/RHSA-2019:1797RHSA-2019:1797DEBIANhttps://www.debian.org/security/2019/dsa-4452DSA-4452MLISThttps://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E[nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.htmlMLISThttps://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E[pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1MISChttps://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlhttps://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlREDHAThttps://access.redhat.com/errata/RHSA-2019:3140RHSA-2019:3140REDHAThttps://access.redhat.com/errata/RHSA-2019:1782RHSA-2019:1782BUGTRAQhttps://seclists.org/bugtraq/2019/May/6820190527 [SECURITY] [DSA 4452-1] jackson-databind security updateREDHAThttps://access.redhat.com/errata/RHSA-2019:0877RHSA-2019:0877MLISThttps://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilitiesREDHAThttps://access.redhat.com/errata/RHBA-2019:0959RHBA-2019:0959REDHAThttps://access.redhat.com/errata/RHSA-2019:0782RHSA-2019:0782CONFIRMhttps://issues.apache.org/jira/browse/TINKERPOP-2121https://issues.apache.org/jira/browse/TINKERPOP-2121MLISThttps://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilitiesCONFIRMhttps://security.netapp.com/advisory/ntap-20190530-0003/https://security.netapp.com/advisory/ntap-20190530-0003/REDHAThttps://access.redhat.com/errata/RHSA-2019:3892RHSA-2019:3892REDHAThttps://access.redhat.com/errata/RHSA-2019:3002RHSA-2019:3002cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*cpe:2.3:a:oracle:retail_workforce_management_software:1.60.9.0.0:*:*:*:*:*:*:*cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8:*:*:*:*:*:*:*cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*cpe:2.3:a:redhat:jboss_bpm_suite:6.4.11:*:*:*:*:*:*:*cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.1:*:*:*:*:*:*:*cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.1:*:*:*:*:*:*:*cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*cpe:2.3:a:redhat:automation_manager:7.3.1:*:*:*:*:*:*:*cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2:*:*:*:*:*:*:*cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.2:*:*:*:*:*:*:*cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0:*:*:*:*:*:*:*cpe:2.3:a:redhat:decision_manager:7.3.1:*:*:*:*:*:*:*cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*cpe:2.3:a:redhat:jboss_brms:6.4.10:*:*:*:*:*:*:*cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*CVE-2018-19362CRITICAL7.5NETWORKLOWNONEPARTIALPARTIALPARTIALHIGH9.8NETWORKLOWNONENONEUNCHANGEDHIGHHIGHHIGHCRITICALCWE-502FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.REDHAThttps://access.redhat.com/errata/RHSA-2019:3149RHSA-2019:3149MLISThttps://lists.debian.org/debian-lts-announce/2019/03/msg00005.html[debian-lts-announce] 20190304 [SECURITY] [DLA 1703-1] jackson-databind security updateMLISThttps://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c@%3Ccommits.pulsar.apache.org%3E[pulsar-commits] 20190329 [GitHub] [pulsar] massakam opened a new pull request #3938: Upgrade third party libraries with security vulnerabilitiesMLISThttps://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilitiesMLISThttps://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3@%3Cdevnull.infra.apache.org%3E[infra-devnull] 20190329 [GitHub] [pulsar] massakam opened pull request #3938: Upgrade third party libraries with security vulnerabilitiesBIDhttp://www.securityfocus.com/bid/107985107985REDHAThttps://access.redhat.com/errata/RHSA-2019:1822RHSA-2019:1822MISChttps://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlREDHAThttps://access.redhat.com/errata/RHSA-2019:1823RHSA-2019:1823REDHAThttps://access.redhat.com/errata/RHSA-2019:2858RHSA-2019:2858CONFIRMhttps://github.com/FasterXML/jackson-databind/issues/2186https://github.com/FasterXML/jackson-databind/issues/2186REDHAThttps://access.redhat.com/errata/RHSA-2019:2804RHSA-2019:2804MISChttps://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlhttps://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlCONFIRMhttps://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2bhttps://github.com/FasterXML/jackson-databind/commit/42912cac4753f3f718ece875e4d486f8264c2f2bCONFIRMhttps://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.8REDHAThttps://access.redhat.com/errata/RHSA-2019:1797RHSA-2019:1797DEBIANhttps://www.debian.org/security/2019/dsa-4452DSA-4452MLISThttps://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E[nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.htmlMLISThttps://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8@%3Ccommits.pulsar.apache.org%3E[pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1MISChttps://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlhttps://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlREDHAThttps://access.redhat.com/errata/RHSA-2019:3140RHSA-2019:3140REDHAThttps://access.redhat.com/errata/RHSA-2019:1782RHSA-2019:1782BUGTRAQhttps://seclists.org/bugtraq/2019/May/6820190527 [SECURITY] [DSA 4452-1] jackson-databind security updateREDHAThttps://access.redhat.com/errata/RHSA-2019:0877RHSA-2019:0877MLISThttps://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilitiesREDHAThttps://access.redhat.com/errata/RHBA-2019:0959RHBA-2019:0959REDHAThttps://access.redhat.com/errata/RHSA-2019:0782RHSA-2019:0782CONFIRMhttps://issues.apache.org/jira/browse/TINKERPOP-2121https://issues.apache.org/jira/browse/TINKERPOP-2121MLISThttps://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilitiesOSSINDEXhttps://ossindex.sonatype.org/vuln/5afe3c10-61cc-4ca0-99ae-c6ba8f330b45[CVE-2018-19362] Deserialization of Untrusted DataCONFIRMhttps://security.netapp.com/advisory/ntap-20190530-0003/https://security.netapp.com/advisory/ntap-20190530-0003/REDHAThttps://access.redhat.com/errata/RHSA-2019:3892RHSA-2019:3892REDHAThttps://access.redhat.com/errata/RHSA-2019:3002RHSA-2019:3002cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*cpe:2.3:a:oracle:retail_workforce_management_software:1.60.9.0.0:*:*:*:*:*:*:*cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:18.8:*:*:*:*:*:*:*cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*cpe:2.3:a:redhat:jboss_bpm_suite:6.4.11:*:*:*:*:*:*:*cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.1:*:*:*:*:*:*:*cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.1:*:*:*:*:*:*:*cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*cpe:2.3:a:redhat:automation_manager:7.3.1:*:*:*:*:*:*:*cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:*:*:*:*:*:*:*:*cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:16.2:*:*:*:*:*:*:*cpe:2.3:a:oracle:primavera_p6_enterprise_project_portfolio_management:15.2:*:*:*:*:*:*:*cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0:*:*:*:*:*:*:*cpe:2.3:a:redhat:decision_manager:7.3.1:*:*:*:*:*:*:*cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*cpe:2.3:a:redhat:jboss_brms:6.4.10:*:*:*:*:*:*:*cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*CVE-2019-12086HIGH5.0NETWORKLOWNONEPARTIALPARTIALNONEMEDIUM7.5NETWORKLOWNONENONEUNCHANGEDHIGHNONENONEHIGHCWE-200A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.REDHAThttps://access.redhat.com/errata/RHSA-2019:3149RHSA-2019:3149MLISThttps://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilitiesMISChttps://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlREDHAThttps://access.redhat.com/errata/RHSA-2019:2858RHSA-2019:2858REDHAThttps://access.redhat.com/errata/RHSA-2019:2935RHSA-2019:2935REDHAThttps://access.redhat.com/errata/RHSA-2019:2936RHSA-2019:2936MLISThttps://lists.debian.org/debian-lts-announce/2019/05/msg00030.html[debian-lts-announce] 20190521 [SECURITY] [DLA 1798-1] jackson-databind security updateFEDORAhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544/FEDORA-2019-fb23eccc03REDHAThttps://access.redhat.com/errata/RHSA-2019:2937RHSA-2019:2937REDHAThttps://access.redhat.com/errata/RHSA-2019:3050RHSA-2019:3050CONFIRMhttps://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.9https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.9DEBIANhttps://www.debian.org/security/2019/dsa-4452DSA-4452REDHAThttps://access.redhat.com/errata/RHSA-2019:2938RHSA-2019:2938MLISThttps://lists.apache.org/thread.html/3f99ae8dcdbd69438cb733d745ee3ad5e852068490719a66509b4592@%3Ccommits.cassandra.apache.org%3E[cassandra-commits] 20190919 [jira] [Created] (CASSANDRA-15328) Bump jackson version to >= 2.9.9.3 to address security vulnerabilitiesFEDORAhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL/FEDORA-2019-ae6a703b8fMISChttps://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062MLISThttps://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E[nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.htmlREDHAThttps://access.redhat.com/errata/RHSA-2019:2998RHSA-2019:2998MISChttps://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlhttps://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlBUGTRAQhttps://seclists.org/bugtraq/2019/May/6820190527 [SECURITY] [DSA 4452-1] jackson-databind security updateMISChttps://github.com/FasterXML/jackson-databind/issues/2326https://github.com/FasterXML/jackson-databind/issues/2326FEDORAhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC/FEDORA-2019-99ff6aa32cMLISThttps://lists.apache.org/thread.html/88cd25375805950ae7337e669b0cb0eeda98b9604c1b8d806dccbad2@%3Creviews.spark.apache.org%3E[spark-reviews] 20190520 [GitHub] [spark] Fokko opened a new pull request #24646: Spark 27757MLISThttps://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilitiesREDHAThttps://access.redhat.com/errata/RHSA-2019:3200RHSA-2019:3200REDHAThttps://access.redhat.com/errata/RHSA-2019:3045RHSA-2019:3045OSSINDEXhttps://ossindex.sonatype.org/vuln/5bbadb96-496f-4534-a513-7a6396f54029[CVE-2019-12086] Information ExposureMLISThttps://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilitiesREDHAThttps://access.redhat.com/errata/RHSA-2019:3044RHSA-2019:3044CONFIRMhttps://security.netapp.com/advisory/ntap-20190530-0003/https://security.netapp.com/advisory/ntap-20190530-0003/MISChttp://russiansecurity.expert/2016/04/20/mysql-connect-file-read/http://russiansecurity.expert/2016/04/20/mysql-connect-file-read/BIDhttp://www.securityfocus.com/bid/109227109227REDHAThttps://access.redhat.com/errata/RHSA-2019:3046RHSA-2019:3046cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*CVE-2019-12384MEDIUM4.3NETWORKMEDIUMNONEPARTIALPARTIALNONEMEDIUM5.9NETWORKHIGHNONENONEUNCHANGEDHIGHNONENONEMEDIUMCWE-502FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.REDHAThttps://access.redhat.com/errata/RHSA-2019:3149RHSA-2019:3149MLISThttps://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef@%3Cdev.struts.apache.org%3E[struts-dev] 20190908 Build failed in Jenkins: Struts-master-JDK8-dependency-check #204REDHAThttps://access.redhat.com/errata/RHSA-2019:1820RHSA-2019:1820MLISThttps://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilitiesREDHAThttps://access.redhat.com/errata/RHSA-2019:3901RHSA-2019:3901MLISThttps://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d@%3Cdev.tomee.apache.org%3E[tomee-dev] 20190905 [GitHub] [tomee] rzo1 opened a new pull request #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439MISChttps://github.com/FasterXML/jackson-databind/compare/74b90a4...a977aadhttps://github.com/FasterXML/jackson-databind/compare/74b90a4...a977aadREDHAThttps://access.redhat.com/errata/RHSA-2019:2858RHSA-2019:2858REDHAThttps://access.redhat.com/errata/RHSA-2019:2935RHSA-2019:2935MLISThttps://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319@%3Cdev.tomee.apache.org%3E[tomee-dev] 20190906 [GitHub] [tomee] rzo1 commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439MLISThttps://lists.apache.org/thread.html/e0733058c0366b703e6757d8d2a7a04b943581f659e9c271f0841dfe@%3Cnotifications.geode.apache.org%3E[geode-notifications] 20191007 [GitHub] [geode] jmelchio commented on issue #4102: Fix for GEODE-7255: Pickup Jackson CVE fixREDHAThttps://access.redhat.com/errata/RHSA-2019:3292RHSA-2019:3292REDHAThttps://access.redhat.com/errata/RHSA-2019:2936RHSA-2019:2936FEDORAhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544/FEDORA-2019-fb23eccc03CONFIRMhttps://lists.debian.org/debian-lts-announce/2019/06/msg00019.htmlhttps://lists.debian.org/debian-lts-announce/2019/06/msg00019.htmlMLISThttps://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be@%3Cdev.tomee.apache.org%3E[tomee-dev] 20190905 [GitHub] [tomee] robert-schaft-hon commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439MLISThttps://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9@%3Cdev.tomee.apache.org%3E[tomee-dev] 20190905 [GitHub] [tomee] asf-ci commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439REDHAThttps://access.redhat.com/errata/RHSA-2019:2937RHSA-2019:2937REDHAThttps://access.redhat.com/errata/RHSA-2019:2938RHSA-2019:2938MLISThttps://lists.apache.org/thread.html/3f99ae8dcdbd69438cb733d745ee3ad5e852068490719a66509b4592@%3Ccommits.cassandra.apache.org%3E[cassandra-commits] 20190919 [jira] [Created] (CASSANDRA-15328) Bump jackson version to >= 2.9.9.3 to address security vulnerabilitiesFEDORAhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL/FEDORA-2019-ae6a703b8fMLISThttps://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E[nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.htmlREDHAThttps://access.redhat.com/errata/RHSA-2019:2998RHSA-2019:2998DEBIANhttps://www.debian.org/security/2019/dsa-4542DSA-4542MISChttps://doyensec.com/research.htmlhttps://doyensec.com/research.htmlOSSINDEXhttps://ossindex.sonatype.org/vuln/33d59f1d-83ff-4527-9707-c3f1507b6125[CVE-2019-12384] Deserialization of Untrusted DataREDHAThttps://access.redhat.com/errata/RHSA-2019:2720RHSA-2019:2720CONFIRMhttps://security.netapp.com/advisory/ntap-20190703-0002/https://security.netapp.com/advisory/ntap-20190703-0002/MISChttps://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlhttps://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlMLISThttps://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4@%3Cdev.tomee.apache.org%3E[tomee-dev] 20190905 [GitHub] [tomee] rzo1 opened a new pull request #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439MLISThttps://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b@%3Cdev.tomee.apache.org%3E[tomee-dev] 20190909 [GitHub] [tomee] jgallimore merged pull request #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439FEDORAhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC/FEDORA-2019-99ff6aa32cMISChttps://blog.doyensec.com/2019/07/22/jackson-gadgets.htmlhttps://blog.doyensec.com/2019/07/22/jackson-gadgets.htmlMLISThttps://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilitiesREDHAThttps://access.redhat.com/errata/RHSA-2019:3200RHSA-2019:3200MLISThttps://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilitiesMLISThttps://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1@%3Cdev.tomee.apache.org%3E[tomee-dev] 20190909 [GitHub] [tomee] jgallimore merged pull request #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439REDHAThttps://access.redhat.com/errata/RHSA-2019:3297RHSA-2019:3297BUGTRAQhttps://seclists.org/bugtraq/2019/Oct/620191007 [SECURITY] [DSA 4542-1] jackson-databind security updateMLISThttps://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9@%3Cdev.tomee.apache.org%3E[tomee-dev] 20190905 [GitHub] [tomee] asf-ci commented on issue #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*CVE-2019-12814MEDIUM4.3NETWORKMEDIUMNONEPARTIALPARTIALNONEMEDIUM5.9NETWORKHIGHNONENONEUNCHANGEDHIGHNONENONEMEDIUMCWE-200A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.MLISThttps://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef@%3Cdev.struts.apache.org%3E[struts-dev] 20190908 Build failed in Jenkins: Struts-master-JDK8-dependency-check #204MLISThttps://lists.apache.org/thread.html/129da0204c876f746636018751a086cc581e0e07bcdeb3ee22ff5731@%3Cdev.zookeeper.apache.org%3E[zookeeper-dev] 20190623 [jira] [Created] (ZOOKEEPER-3441) OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814MLISThttps://lists.apache.org/thread.html/b0a2b2cca072650dbd5882719976c3d353972c44f6736ddf0ba95209@%3Cissues.zookeeper.apache.org%3E[zookeeper-issues] 20190713 [jira] [Updated] (ZOOKEEPER-3441) OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814MLISThttps://lists.apache.org/thread.html/8fe2983f6d9fee0aa737e4bd24483f8f5cf9b938b9adad0c4e79b2a4@%3Cnotifications.zookeeper.apache.org%3E[zookeeper-notifications] 20190624 [GitHub] [zookeeper] eolivelli commented on issue #1001: ZOOKEEPER-3441 OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814MLISThttps://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d@%3Cdev.tomee.apache.org%3E[tomee-dev] 20190905 [GitHub] [tomee] rzo1 opened a new pull request #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439REDHAThttps://access.redhat.com/errata/RHSA-2019:2858RHSA-2019:2858REDHAThttps://access.redhat.com/errata/RHSA-2019:2935RHSA-2019:2935MLISThttps://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319@%3Cdev.tomee.apache.org%3E[tomee-dev] 20190906 [GitHub] [tomee] rzo1 commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439FEDORAhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544/FEDORA-2019-fb23eccc03MLISThttps://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9@%3Cdev.tomee.apache.org%3E[tomee-dev] 20190905 [GitHub] [tomee] asf-ci commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439REDHAThttps://access.redhat.com/errata/RHSA-2019:2937RHSA-2019:2937MLISThttps://lists.apache.org/thread.html/bf20574dbc2db255f1fd489942b5720f675e32a2c4f44eb6a36060cd@%3Ccommits.accumulo.apache.org%3E[accumulo-commits] 20190723 [accumulo] branch 2.0 updated: Fix CVE-2019-12814 Use jackson-databind 2.9.9.1FEDORAhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL/FEDORA-2019-ae6a703b8fMLISThttps://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E[nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.htmlMLISThttps://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b@%3Cdev.tomee.apache.org%3E[tomee-dev] 20190909 [GitHub] [tomee] jgallimore merged pull request #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439FEDORAhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC/FEDORA-2019-99ff6aa32cMLISThttps://lists.apache.org/thread.html/b148fa2e9ef468c4de00de255dd728b74e2a97d935f8ced31eb41ba2@%3Cnotifications.zookeeper.apache.org%3E[zookeeper-notifications] 20190710 [GitHub] [zookeeper] phunt closed pull request #1013: ZOOKEEPER-3441: OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814REDHAThttps://access.redhat.com/errata/RHSA-2019:3200RHSA-2019:3200MLISThttps://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilitiesMLISThttps://lists.apache.org/thread.html/a3ae8a8c5e32c413cd27071d3a204166050bf79ce7f1299f6866338f@%3Cissues.zookeeper.apache.org%3E[zookeeper-issues] 20190708 [jira] [Commented] (ZOOKEEPER-3441) OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814MLISThttps://lists.apache.org/thread.html/4b832d1327703d6b287a6d223307f8f884d798821209a10647e93324@%3Cnotifications.zookeeper.apache.org%3E[zookeeper-notifications] 20190624 [GitHub] [zookeeper] eolivelli closed pull request #1001: ZOOKEEPER-3441 OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814MLISThttps://lists.apache.org/thread.html/a78239b1f11cddfa86e4edee19064c40b6272214630bfef070c37957@%3Cissues.zookeeper.apache.org%3E[zookeeper-issues] 20190623 [jira] [Updated] (ZOOKEEPER-3441) OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814REDHAThttps://access.redhat.com/errata/RHSA-2019:3044RHSA-2019:3044REDHAThttps://access.redhat.com/errata/RHSA-2019:3297RHSA-2019:3297REDHAThttps://access.redhat.com/errata/RHSA-2019:3046RHSA-2019:3046REDHAThttps://access.redhat.com/errata/RHSA-2019:3149RHSA-2019:3149MLISThttps://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilitiesCONFIRMhttps://security.netapp.com/advisory/ntap-20190625-0006/https://security.netapp.com/advisory/ntap-20190625-0006/MLISThttps://lists.apache.org/thread.html/a62aa2706105d68f1c02023fe24aaa3c13b4d8a1826181fed07d9682@%3Cnotifications.zookeeper.apache.org%3E[zookeeper-notifications] 20190624 [GitHub] [zookeeper] phunt commented on a change in pull request #1001: ZOOKEEPER-3441 OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814MLISThttps://lists.apache.org/thread.html/28be28ffd6471d230943a255c36fe196a54ef5afc494a4781d16e37c@%3Cissues.zookeeper.apache.org%3E[zookeeper-issues] 20190712 [jira] [Resolved] (ZOOKEEPER-3441) OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814MISChttps://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlMLISThttps://lists.apache.org/thread.html/eff7280055fc717ea8129cd28a9dd57b8446d00b36260c1caee10b87@%3Cnotifications.zookeeper.apache.org%3E[zookeeper-notifications] 20190710 [GitHub] [zookeeper] phunt opened a new pull request #1013: ZOOKEEPER-3441: OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814MLISThttps://lists.debian.org/debian-lts-announce/2019/06/msg00019.html[debian-lts-announce] 20190621 [SECURITY] [DLA 1831-1] jackson-databind security updateMLISThttps://lists.apache.org/thread.html/e0733058c0366b703e6757d8d2a7a04b943581f659e9c271f0841dfe@%3Cnotifications.geode.apache.org%3E[geode-notifications] 20191007 [GitHub] [geode] jmelchio commented on issue #4102: Fix for GEODE-7255: Pickup Jackson CVE fixREDHAThttps://access.redhat.com/errata/RHSA-2019:3292RHSA-2019:3292REDHAThttps://access.redhat.com/errata/RHSA-2019:2936RHSA-2019:2936MLISThttps://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be@%3Cdev.tomee.apache.org%3E[tomee-dev] 20190905 [GitHub] [tomee] robert-schaft-hon commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439REDHAThttps://access.redhat.com/errata/RHSA-2019:3050RHSA-2019:3050REDHAThttps://access.redhat.com/errata/RHSA-2019:2938RHSA-2019:2938CONFIRMhttps://github.com/FasterXML/jackson-databind/issues/2341https://github.com/FasterXML/jackson-databind/issues/2341MLISThttps://lists.apache.org/thread.html/3f99ae8dcdbd69438cb733d745ee3ad5e852068490719a66509b4592@%3Ccommits.cassandra.apache.org%3E[cassandra-commits] 20190919 [jira] [Created] (CASSANDRA-15328) Bump jackson version to >= 2.9.9.3 to address security vulnerabilitiesMLISThttps://lists.apache.org/thread.html/15a55e1d837fa686db493137cc0330c7ee1089ed9a9eea7ae7151ef1@%3Cissues.zookeeper.apache.org%3E[zookeeper-issues] 20190623 [jira] [Created] (ZOOKEEPER-3441) OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814MLISThttps://lists.apache.org/thread.html/71f9ffd92410a889e27b95a219eaa843fd820f8550898633d85d4ea3@%3Cissues.zookeeper.apache.org%3E[zookeeper-issues] 20190712 [jira] [Assigned] (ZOOKEEPER-3441) OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814MLISThttps://lists.apache.org/thread.html/2ff264b6a94c5363a35c4c88fa93216f60ec54d1d973ed6b76a9f560@%3Cissues.zookeeper.apache.org%3E[zookeeper-issues] 20190712 [jira] [Commented] (ZOOKEEPER-3441) OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814OSSINDEXhttps://ossindex.sonatype.org/vuln/3e008100-e0d4-45bf-afd2-9d5e9b13efa7[CVE-2019-12814] Information ExposureMISChttps://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlhttps://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlMLISThttps://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4@%3Cdev.tomee.apache.org%3E[tomee-dev] 20190905 [GitHub] [tomee] rzo1 opened a new pull request #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439MLISThttps://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilitiesREDHAThttps://access.redhat.com/errata/RHSA-2019:3045RHSA-2019:3045MLISThttps://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1@%3Cdev.tomee.apache.org%3E[tomee-dev] 20190909 [GitHub] [tomee] jgallimore merged pull request #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439MLISThttps://lists.apache.org/thread.html/1e04d9381c801b31ab28dec813c31c304b2a596b2a3707fa5462c5c0@%3Cnotifications.zookeeper.apache.org%3E[zookeeper-notifications] 20190623 [GitHub] [zookeeper] eolivelli opened a new pull request #1001: ZOOKEEPER-3441 OWASP is flagging jackson-databind-2.9.9.jar for CVE-2019-12814MLISThttps://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9@%3Cdev.tomee.apache.org%3E[tomee-dev] 20190905 [GitHub] [tomee] asf-ci commented on issue #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*CVE-2019-14379CRITICAL7.5NETWORKLOWNONEPARTIALPARTIALPARTIALHIGH9.8NETWORKLOWNONENONEUNCHANGEDHIGHHIGHHIGHCRITICALCWE-20SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.MLISThttps://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef@%3Cdev.struts.apache.org%3E[struts-dev] 20190908 Build failed in Jenkins: Struts-master-JDK8-dependency-check #204MLISThttps://lists.apache.org/thread.html/99944f86abefde389da9b4040ea2327c6aa0b53a2ff9352bd4cfec17@%3Cissues.iceberg.apache.org%3E[iceberg-issues] 20191010 [GitHub] [incubator-iceberg] rdblue closed pull request #533: Update Jackson to 2.9.10 for CVE-2019-14379MLISThttps://lists.apache.org/thread.html/f17f63b0f8a57e4a5759e01d25cffc0548f0b61ff5c6bfd704ad2f2a@%3Ccommits.ambari.apache.org%3E[ambari-commits] 20190813 [ambari] branch trunk updated: AMBARI-25352 : Upgrade fasterxml jackson dependency due to CVE-2019-14379(trunk) (#3067)MLISThttps://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d@%3Cdev.tomee.apache.org%3E[tomee-dev] 20190905 [GitHub] [tomee] rzo1 opened a new pull request #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439REDHAThttps://access.redhat.com/errata/RHSA-2019:2858RHSA-2019:2858REDHAThttps://access.redhat.com/errata/RHSA-2019:2935RHSA-2019:2935MLISThttps://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319@%3Cdev.tomee.apache.org%3E[tomee-dev] 20190906 [GitHub] [tomee] rzo1 commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439FEDORAhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544/FEDORA-2019-fb23eccc03MLISThttps://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9@%3Cdev.tomee.apache.org%3E[tomee-dev] 20190905 [GitHub] [tomee] asf-ci commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439REDHAThttps://access.redhat.com/errata/RHSA-2019:2937RHSA-2019:2937FEDORAhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL/FEDORA-2019-ae6a703b8fOSSINDEXhttps://ossindex.sonatype.org/vuln/e5794172-1257-4372-9baf-7b87307a3cc9[CVE-2019-14379] SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles de...MLISThttps://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b@%3Cdev.tomee.apache.org%3E[tomee-dev] 20190909 [GitHub] [tomee] jgallimore merged pull request #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439FEDORAhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UKUALE2TUCKEKOHE2D342PQXN4MWCSLC/FEDORA-2019-99ff6aa32cMLISThttps://lists.apache.org/thread.html/2766188be238a446a250ef76801037d452979152d85bce5e46805815@%3Cissues.iceberg.apache.org%3E[iceberg-issues] 20191010 [GitHub] [incubator-iceberg] rdblue commented on issue #535: Update Jackson to 2.9.10 for CVE-2019-14379REDHAThttps://access.redhat.com/errata/RHSA-2019:3200RHSA-2019:3200MLISThttps://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilitiesREDHAThttps://access.redhat.com/errata/RHSA-2019:3044RHSA-2019:3044REDHAThttps://access.redhat.com/errata/RHSA-2019:3297RHSA-2019:3297MLISThttps://lists.apache.org/thread.html/525bcf949a4b0da87a375cbad2680b8beccde749522f24c49befe7fb@%3Ccommits.pulsar.apache.org%3E[pulsar-commits] 20190822 [GitHub] [pulsar] massakam opened a new pull request #5011: [security] Upgrade jackson-databindREDHAThttps://access.redhat.com/errata/RHSA-2019:3046RHSA-2019:3046REDHAThttps://access.redhat.com/errata/RHSA-2019:3149RHSA-2019:3149MLISThttps://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilitiesCONFIRMhttps://security.netapp.com/advisory/ntap-20190814-0001/https://security.netapp.com/advisory/ntap-20190814-0001/REDHAThttps://access.redhat.com/errata/RHSA-2019:3901RHSA-2019:3901MISChttps://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2MLISThttps://lists.debian.org/debian-lts-announce/2019/08/msg00011.html[debian-lts-announce] 20190812 [SECURITY] [DLA 1879-1] jackson-databind security updateREDHAThttps://access.redhat.com/errata/RHSA-2019:3292RHSA-2019:3292REDHAThttps://access.redhat.com/errata/RHSA-2019:2936RHSA-2019:2936MISChttps://github.com/FasterXML/jackson-databind/issues/2387https://github.com/FasterXML/jackson-databind/issues/2387MLISThttps://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be@%3Cdev.tomee.apache.org%3E[tomee-dev] 20190905 [GitHub] [tomee] robert-schaft-hon commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439MLISThttps://lists.apache.org/thread.html/d161ff3d59c5a8213400dd6afb1cce1fac4f687c32d1e0c0bfbfaa2d@%3Cissues.iceberg.apache.org%3E[iceberg-issues] 20191010 [GitHub] [incubator-iceberg] rdblue commented on issue #533: Update Jackson to 2.9.10 for CVE-2019-14379REDHAThttps://access.redhat.com/errata/RHSA-2019:3050RHSA-2019:3050REDHAThttps://access.redhat.com/errata/RHSA-2019:2938RHSA-2019:2938MLISThttps://lists.apache.org/thread.html/75f482fdc84abe6d0c8f438a76437c335a7bbeb5cddd4d70b4bc0cbf@%3Cissues.iceberg.apache.org%3E[iceberg-issues] 20191010 [GitHub] [incubator-iceberg] mccheah commented on issue #535: Update Jackson to 2.9.10 for CVE-2019-14379REDHAThttps://access.redhat.com/errata/RHBA-2019:2824RHBA-2019:2824REDHAThttps://access.redhat.com/errata/RHSA-2019:2743RHSA-2019:2743REDHAThttps://access.redhat.com/errata/RHSA-2019:2998RHSA-2019:2998MLISThttps://lists.apache.org/thread.html/e25e734c315f70d8876a846926cfe3bfa1a4888044f146e844caf72f@%3Ccommits.ambari.apache.org%3E[ambari-commits] 20190813 [ambari] branch branch-2.7 updated: AMBARI-25352 : Upgrade fasterxml jackson dependency due to CVE-2019-14379 (#3066)MLISThttps://lists.apache.org/thread.html/8723b52c2544e6cb804bc8a36622c584acd1bd6c53f2b6034c9fea54@%3Cissues.iceberg.apache.org%3E[iceberg-issues] 20191010 [GitHub] [incubator-iceberg] rdblue merged pull request #535: Update Jackson to 2.9.10 for CVE-2019-14379MISChttps://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlhttps://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlMLISThttps://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4@%3Cdev.tomee.apache.org%3E[tomee-dev] 20190905 [GitHub] [tomee] rzo1 opened a new pull request #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439MLISThttps://lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4cb3aef3bd4d20e1c69@%3Ccommits.tinkerpop.apache.org%3E[tinkerpop-commits] 20190924 [GitHub] [tinkerpop] justinchuch opened a new pull request #1200: Upgrade jackson due to CVE issuesMLISThttps://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilitiesMLISThttps://lists.apache.org/thread.html/689c6bcc6c7612eee71e453a115a4c8581e7b718537025d4b265783d@%3Cissues.iceberg.apache.org%3E[iceberg-issues] 20191010 [GitHub] [incubator-iceberg] mccheah opened a new pull request #535: Update Jackson to 2.9.10 for CVE-2019-14379MLISThttps://lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee610345a35b7bc6@%3Cissues.iceberg.apache.org%3E[iceberg-issues] 20191027 [GitHub] [incubator-iceberg] rdsr commented on issue #535: Update Jackson to 2.9.10 for CVE-2019-14379REDHAThttps://access.redhat.com/errata/RHSA-2019:3045RHSA-2019:3045MLISThttps://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1@%3Cdev.tomee.apache.org%3E[tomee-dev] 20190909 [GitHub] [tomee] jgallimore merged pull request #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439MLISThttps://lists.apache.org/thread.html/859815b2e9f1575acbb2b260b73861c16ca49bca627fa0c46419051f@%3Cissues.iceberg.apache.org%3E[iceberg-issues] 20191010 [GitHub] [incubator-iceberg] rdblue opened a new pull request #533: Update Jackson to 2.9.10 for CVE-2019-14379MLISThttps://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9@%3Cdev.tomee.apache.org%3E[tomee-dev] 20190905 [GitHub] [tomee] asf-ci commented on issue #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*CVE-2019-14439HIGH5.0NETWORKLOWNONEPARTIALPARTIALNONEMEDIUM7.5NETWORKLOWNONENONEUNCHANGEDHIGHNONENONEHIGHCWE-200A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.MLISThttps://lists.apache.org/thread.html/940b4c3fef002461b89a050935337056d4a036a65ef68e0bbd4621ef@%3Cdev.struts.apache.org%3E[struts-dev] 20190908 Build failed in Jenkins: Struts-master-JDK8-dependency-check #204MLISThttps://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilitiesCONFIRMhttps://security.netapp.com/advisory/ntap-20190814-0001/https://security.netapp.com/advisory/ntap-20190814-0001/MLISThttps://lists.apache.org/thread.html/34717424b4d08b74f65c09a083d6dd1cb0763f37a15d6de135998c1d@%3Cdev.tomee.apache.org%3E[tomee-dev] 20190905 [GitHub] [tomee] rzo1 opened a new pull request #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439MISChttps://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.1...jackson-databind-2.9.9.2MLISThttps://lists.debian.org/debian-lts-announce/2019/08/msg00011.html[debian-lts-announce] 20190812 [SECURITY] [DLA 1879-1] jackson-databind security updateMLISThttps://lists.apache.org/thread.html/5ecc333113b139429f4f05000d4aa2886974d4df3269c1dd990bb319@%3Cdev.tomee.apache.org%3E[tomee-dev] 20190906 [GitHub] [tomee] rzo1 commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439FEDORAhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TXRVXNRFHJSQWFHPRJQRI5UPMZ63B544/FEDORA-2019-fb23eccc03OSSINDEXhttps://ossindex.sonatype.org/vuln/ac9dce23-7b35-4691-b05e-a68f58d48b8c[CVE-2019-14439] A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x befo...MLISThttps://lists.apache.org/thread.html/ee0a051428d2c719acfa297d0854a189ea5e284ef3ed491fa672f4be@%3Cdev.tomee.apache.org%3E[tomee-dev] 20190905 [GitHub] [tomee] robert-schaft-hon commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439MLISThttps://lists.apache.org/thread.html/0d4b630d9ee724aee50703397d9d1afa2b2befc9395ba7797d0ccea9@%3Cdev.tomee.apache.org%3E[tomee-dev] 20190905 [GitHub] [tomee] asf-ci commented on issue #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439MLISThttps://lists.apache.org/thread.html/3f99ae8dcdbd69438cb733d745ee3ad5e852068490719a66509b4592@%3Ccommits.cassandra.apache.org%3E[cassandra-commits] 20190919 [jira] [Created] (CASSANDRA-15328) Bump jackson version to >= 2.9.9.3 to address security vulnerabilitiesFEDORAhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OVRZDN2T6AZ6DJCZJ3VSIQIVHBVMVWBL/FEDORA-2019-ae6a703b8fMISChttps://github.com/FasterXML/jackson-databind/issues/2389https://github.com/FasterXML/jackson-databind/issues/2389MLISThttps://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E[nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.htmlDEBIANhttps://www.debian.org/security/2019/dsa-4542DSA-4542MISChttps://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlhttps://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlMLISThttps://lists.apache.org/thread.html/2d2a76440becb610b9a9cb49b15eac3934b02c2dbcaacde1000353e4@%3Cdev.tomee.apache.org%3E[tomee-dev] 20190905 [GitHub] [tomee] rzo1 opened a new pull request #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439MLISThttps://lists.apache.org/thread.html/87e46591de8925f719664a845572d184027258c5a7af0a471b53c77b@%3Cdev.tomee.apache.org%3E[tomee-dev] 20190909 [GitHub] [tomee] jgallimore merged pull request #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439MLISThttps://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilitiesREDHAThttps://access.redhat.com/errata/RHSA-2019:3200RHSA-2019:3200MISChttps://github.com/FasterXML/jackson-databind/commit/ad418eeb974e357f2797aef64aa0e3ffaaa6125bhttps://github.com/FasterXML/jackson-databind/commit/ad418eeb974e357f2797aef64aa0e3ffaaa6125bMLISThttps://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilitiesMLISThttps://lists.apache.org/thread.html/5fc0e16b7af2590bf1e97c76c136291c4fdb244ee63c65c485c9a7a1@%3Cdev.tomee.apache.org%3E[tomee-dev] 20190909 [GitHub] [tomee] jgallimore merged pull request #549: [TOMEE-2655] [7.1.x] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439BUGTRAQhttps://seclists.org/bugtraq/2019/Oct/620191007 [SECURITY] [DSA 4542-1] jackson-databind security updateMLISThttps://lists.apache.org/thread.html/56c8042873595b8c863054c7bfccab4bf2c01c6f5abedae249d914b9@%3Cdev.tomee.apache.org%3E[tomee-dev] 20190905 [GitHub] [tomee] asf-ci commented on issue #548: [TOMEE-2655] Updates jackson-databind to 2.9.9.3 to mitigate CVE-2019-12384, CVE-2019-12814, CVE-2019-14379 and CVE-2019-14439cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*CVE-2019-14540HIGH7.5NETWORKLOWNONEPARTIALPARTIALPARTIALHIGHCWE-20A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.MLISThttps://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilitiesFEDORAhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT/FEDORA-2019-b171554877MLISThttps://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E[nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.htmlDEBIANhttps://www.debian.org/security/2019/dsa-4542DSA-4542MISChttps://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlhttps://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlFEDORAhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43/FEDORA-2019-cf87377f5fMLISThttps://lists.apache.org/thread.html/dc6b5cad721a4f6b3b62ed1163894941140d9d5656140fb757505ca0@%3Cissues.hbase.apache.org%3E[hbase-issues] 20190926 [jira] [Updated] (HBASE-23075) Upgrade jackson to version 2.9.10 due to CVE-2019-16335 and CVE-2019-14540MLISThttps://lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4cb3aef3bd4d20e1c69@%3Ccommits.tinkerpop.apache.org%3E[tinkerpop-commits] 20190924 [GitHub] [tinkerpop] justinchuch opened a new pull request #1200: Upgrade jackson due to CVE issuesOSSINDEXhttps://ossindex.sonatype.org/vuln/fc1e8802-77e5-458f-b987-eb778c6ac2fc[CVE-2019-14540] A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2...MLISThttps://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilitiesMLISThttps://lists.apache.org/thread.html/a360b46061c91c5cad789b6c3190aef9b9f223a2b75c9c9f046fe016@%3Cissues.hbase.apache.org%3E[hbase-issues] 20190926 [GitHub] [hbase-connectors] SteNicholas opened a new pull request #45: HBASE-23075 Upgrade jackson versionREDHAThttps://access.redhat.com/errata/RHSA-2019:3200RHSA-2019:3200CONFIRMhttps://security.netapp.com/advisory/ntap-20191004-0002/https://security.netapp.com/advisory/ntap-20191004-0002/MISChttps://github.com/FasterXML/jackson-databind/issues/2449https://github.com/FasterXML/jackson-databind/issues/2449CONFIRMhttps://github.com/FasterXML/jackson-databind/blob/master/release-notes/VERSION-2.xhttps://github.com/FasterXML/jackson-databind/blob/master/release-notes/VERSION-2.xMLISThttps://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilitiesMLISThttps://lists.apache.org/thread.html/ad0d238e97a7da5eca47a014f0f7e81f440ed6bf74a93183825e18b9@%3Cissues.hbase.apache.org%3E[hbase-issues] 20190926 [jira] [Commented] (HBASE-23075) Upgrade jackson to version 2.9.10 due to CVE-2019-16335 and CVE-2019-14540MLISThttps://lists.debian.org/debian-lts-announce/2019/10/msg00001.html[debian-lts-announce] 20191002 [SECURITY] [DLA 1943-1] jackson-databind security updateMLISThttps://lists.apache.org/thread.html/e90c3feb21702e68a8c08afce37045adb3870f2bf8223fa403fb93fb@%3Ccommits.hbase.apache.org%3E[hbase-commits] 20190927 [hbase-connectors] 02/02: HBASE-23075 Upgrade jackson to version 2.9.10 due to CVE-2019-16335 and CVE-2019-14540MLISThttps://lists.apache.org/thread.html/a4f2c9fb36642a48912cdec6836ec00e497427717c5d377f8d7ccce6@%3Cnotifications.zookeeper.apache.org%3E[zookeeper-notifications] 20190925 [GitHub] [zookeeper] maoling commented on issue #1097: ZOOKEEPER-3559 - Update Jackson to 2.9.10MISChttps://github.com/FasterXML/jackson-databind/issues/2410https://github.com/FasterXML/jackson-databind/issues/2410BUGTRAQhttps://seclists.org/bugtraq/2019/Oct/620191007 [SECURITY] [DSA 4542-1] jackson-databind security updateMLISThttps://lists.apache.org/thread.html/40c00861b53bb611dee7d6f35f864aa7d1c1bd77df28db597cbf27e1@%3Cissues.hbase.apache.org%3E[hbase-issues] 20190925 [GitHub] [hbase] SteNicholas opened a new pull request #660: HBASE-23075 Upgrade jackson versioncpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*CVE-2019-16335HIGH7.5NETWORKLOWNONEPARTIALPARTIALPARTIALHIGHCWE-20A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.MLISThttps://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilitiesFEDORAhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT/FEDORA-2019-b171554877MLISThttps://lists.apache.org/thread.html/bcce5a9c532b386c68dab2f6b3ce8b0cc9b950ec551766e76391caa3@%3Ccommits.nifi.apache.org%3E[nifi-commits] 20191113 svn commit: r1869773 - /nifi/site/trunk/security.htmlDEBIANhttps://www.debian.org/security/2019/dsa-4542DSA-4542OSSINDEXhttps://ossindex.sonatype.org/vuln/3242fdc1-bfe9-46a6-af0c-0b8f57f56eb7[CVE-2019-16335] A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2...MISChttps://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlhttps://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlFEDORAhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43/FEDORA-2019-cf87377f5fMLISThttps://lists.apache.org/thread.html/dc6b5cad721a4f6b3b62ed1163894941140d9d5656140fb757505ca0@%3Cissues.hbase.apache.org%3E[hbase-issues] 20190926 [jira] [Updated] (HBASE-23075) Upgrade jackson to version 2.9.10 due to CVE-2019-16335 and CVE-2019-14540MLISThttps://lists.apache.org/thread.html/0fcef7321095ce0bc597d468d150cff3d647f4cb3aef3bd4d20e1c69@%3Ccommits.tinkerpop.apache.org%3E[tinkerpop-commits] 20190924 [GitHub] [tinkerpop] justinchuch opened a new pull request #1200: Upgrade jackson due to CVE issuesMLISThttps://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilitiesMLISThttps://lists.apache.org/thread.html/a360b46061c91c5cad789b6c3190aef9b9f223a2b75c9c9f046fe016@%3Cissues.hbase.apache.org%3E[hbase-issues] 20190926 [GitHub] [hbase-connectors] SteNicholas opened a new pull request #45: HBASE-23075 Upgrade jackson versionREDHAThttps://access.redhat.com/errata/RHSA-2019:3200RHSA-2019:3200CONFIRMhttps://security.netapp.com/advisory/ntap-20191004-0002/https://security.netapp.com/advisory/ntap-20191004-0002/MISChttps://github.com/FasterXML/jackson-databind/issues/2449https://github.com/FasterXML/jackson-databind/issues/2449MLISThttps://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilitiesMLISThttps://lists.apache.org/thread.html/ad0d238e97a7da5eca47a014f0f7e81f440ed6bf74a93183825e18b9@%3Cissues.hbase.apache.org%3E[hbase-issues] 20190926 [jira] [Commented] (HBASE-23075) Upgrade jackson to version 2.9.10 due to CVE-2019-16335 and CVE-2019-14540MLISThttps://lists.debian.org/debian-lts-announce/2019/10/msg00001.html[debian-lts-announce] 20191002 [SECURITY] [DLA 1943-1] jackson-databind security updateMLISThttps://lists.apache.org/thread.html/e90c3feb21702e68a8c08afce37045adb3870f2bf8223fa403fb93fb@%3Ccommits.hbase.apache.org%3E[hbase-commits] 20190927 [hbase-connectors] 02/02: HBASE-23075 Upgrade jackson to version 2.9.10 due to CVE-2019-16335 and CVE-2019-14540BUGTRAQhttps://seclists.org/bugtraq/2019/Oct/620191007 [SECURITY] [DSA 4542-1] jackson-databind security updateMLISThttps://lists.apache.org/thread.html/40c00861b53bb611dee7d6f35f864aa7d1c1bd77df28db597cbf27e1@%3Cissues.hbase.apache.org%3E[hbase-issues] 20190925 [GitHub] [hbase] SteNicholas opened a new pull request #660: HBASE-23075 Upgrade jackson versioncpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*CVE-2019-16942HIGH7.5NETWORKLOWNONEPARTIALPARTIALPARTIALHIGHCWE-20A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.MISChttps://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062MLISThttps://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilitiesCONFIRMhttps://security.netapp.com/advisory/ntap-20191017-0006/https://security.netapp.com/advisory/ntap-20191017-0006/FEDORAhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT/FEDORA-2019-b171554877MISChttps://github.com/FasterXML/jackson-databind/issues/2478https://github.com/FasterXML/jackson-databind/issues/2478DEBIANhttps://www.debian.org/security/2019/dsa-4542DSA-4542MLISThttps://lists.apache.org/thread.html/b2e23c94f9dfef53e04c492e5d02e5c75201734be7adc73a49ef2370@%3Cissues.geode.apache.org%3E[geode-issues] 20191008 [jira] [Commented] (GEODE-7255) Need to pick up CVE-2019-16942REDHAThttps://access.redhat.com/errata/RHSA-2019:3901RHSA-2019:3901FEDORAhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43/FEDORA-2019-cf87377f5fMLISThttps://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilitiesOSSINDEXhttps://ossindex.sonatype.org/vuln/07632245-fcef-4eb3-82b6-aadbbfd2b33e[CVE-2019-16942] A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 th...MLISThttps://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilitiesMLISThttps://lists.apache.org/thread.html/7782a937c9259a58337ee36b2961f00e2d744feafc13084e176d0df5@%3Cissues.geode.apache.org%3E[geode-issues] 20191011 [jira] [Commented] (GEODE-7255) Need to pick up CVE-2019-16942MLISThttps://lists.debian.org/debian-lts-announce/2019/10/msg00001.html[debian-lts-announce] 20191002 [SECURITY] [DLA 1943-1] jackson-databind security updateMISChttps://issues.apache.org/jira/browse/GEODE-7255https://issues.apache.org/jira/browse/GEODE-7255BUGTRAQhttps://seclists.org/bugtraq/2019/Oct/620191007 [SECURITY] [DSA 4542-1] jackson-databind security updatecpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*CVE-2019-16943HIGH7.5NETWORKLOWNONEPARTIALPARTIALPARTIALHIGHCWE-20A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.MISChttps://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062MLISThttps://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilitiesCONFIRMhttps://security.netapp.com/advisory/ntap-20191017-0006/https://security.netapp.com/advisory/ntap-20191017-0006/FEDORAhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TH5VFUN4P7CCIP7KSEXYA5MUTFCUDUJT/FEDORA-2019-b171554877MISChttps://github.com/FasterXML/jackson-databind/issues/2478https://github.com/FasterXML/jackson-databind/issues/2478OSSINDEXhttps://ossindex.sonatype.org/vuln/f4f0c103-c9d9-4308-bd8f-489f2a632680[CVE-2019-16943] A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 th...DEBIANhttps://www.debian.org/security/2019/dsa-4542DSA-4542MLISThttps://lists.apache.org/thread.html/5ec8d8d485c2c8ac55ea425f4cd96596ef37312532712639712ebcdd@%3Ccommits.iceberg.apache.org%3E[iceberg-commits] 20191028 [incubator-iceberg] branch master updated: Update Jackson to 2.10.0 for CVE-2019-16943 (#583)FEDORAhttps://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Q7CANA7KV53JROZDX5Z5P26UG5VN2K43/FEDORA-2019-cf87377f5fMLISThttps://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilitiesMLISThttps://lists.apache.org/thread.html/6788e4c991f75b89d290ad06b463fcd30bcae99fee610345a35b7bc6@%3Cissues.iceberg.apache.org%3E[iceberg-issues] 20191027 [GitHub] [incubator-iceberg] rdsr commented on issue #535: Update Jackson to 2.9.10 for CVE-2019-14379MLISThttps://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilitiesMLISThttps://lists.debian.org/debian-lts-announce/2019/10/msg00001.html[debian-lts-announce] 20191002 [SECURITY] [DLA 1943-1] jackson-databind security updateBUGTRAQhttps://seclists.org/bugtraq/2019/Oct/620191007 [SECURITY] [DSA 4542-1] jackson-databind security updatecpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*CVE-2019-17267HIGH7.5NETWORKLOWNONEPARTIALPARTIALPARTIALHIGHCWE-20A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.MLISThttps://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilitiesREDHAThttps://access.redhat.com/errata/RHSA-2019:3200RHSA-2019:3200MLISThttps://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilitiesCONFIRMhttps://security.netapp.com/advisory/ntap-20191017-0006/https://security.netapp.com/advisory/ntap-20191017-0006/OSSINDEXhttps://ossindex.sonatype.org/vuln/6ce886d0-2dfd-4cef-b9a4-2fb400baf5ef[CVE-2019-17267] A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2...MLISThttps://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilitiesMISChttps://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.3...jackson-databind-2.9.10https://github.com/FasterXML/jackson-databind/compare/jackson-databind-2.9.9.3...jackson-databind-2.9.10MISChttps://github.com/FasterXML/jackson-databind/issues/2460https://github.com/FasterXML/jackson-databind/issues/2460cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*CVE-2019-17531HIGH7.5NETWORKLOWNONEPARTIALPARTIALPARTIALHIGHCWE-20A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.MISChttps://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062CONFIRMhttps://security.netapp.com/advisory/ntap-20191024-0005/https://security.netapp.com/advisory/ntap-20191024-0005/MISChttps://github.com/FasterXML/jackson-databind/issues/2498https://github.com/FasterXML/jackson-databind/issues/2498OSSINDEXhttps://ossindex.sonatype.org/vuln/ea932c13-011a-4c74-a092-48cd1c49adb4[CVE-2019-17531] A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 th...cpe:2.3:a:fasterxml:jackson-databind:*:*:*:*:*:*:*:*jackson-annotations-2.9.0.jar/home/user/.m2/repository/com/fasterxml/jackson/core/jackson-annotations/2.9.0/jackson-annotations-2.9.0.jarc09faa1b063681cf45706c6df50685b607c10d545325e3a6e72e06381afe469fd40eb70145d32ac61ef8a744b464c54c2b3414be571016dd46bfc2bec226761cf7ae457aCore annotations used for value types, used by Jackson data binding package. http://www.apache.org/licenses/LICENSE-2.0.txtjava-demo-project:compilepomgroupidcom.fasterxml.jackson.coreManifestImplementation-VendorFasterXMLjarpackage namefasterxmlManifestrequire-capabilityosgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"Manifestimplementation-build-date2017-07-30 03:53:23+0000jarpackage namejacksonpomurlhttp://github.com/FasterXML/jacksonpomparent-groupidcom.fasterxml.jacksonpomnameJackson-annotationspomgroupidfasterxml.jackson.coreManifestImplementation-Vendor-Idcom.fasterxml.jackson.coreManifestbundle-symbolicnamecom.fasterxml.jackson.core.jackson-annotationsManifestbundle-docurlhttp://github.com/FasterXML/jacksonfilenamejackson-annotationspomartifactidjackson-annotationsManifestspecification-vendorFasterXMLpomparent-artifactidjackson-parentjarpackage namefasterxmlManifestrequire-capabilityosgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"Manifestimplementation-build-date2017-07-30 03:53:23+0000jarpackage namejacksonManifestBundle-NameJackson-annotationspomurlhttp://github.com/FasterXML/jacksonpomnameJackson-annotationspomparent-groupidcom.fasterxml.jacksonpomgroupidfasterxml.jackson.coreManifestImplementation-TitleJackson-annotationsManifestbundle-symbolicnamecom.fasterxml.jackson.core.jackson-annotationsManifestbundle-docurlhttp://github.com/FasterXML/jacksonManifestspecification-titleJackson-annotationspomartifactidjackson-annotationsfilenamejackson-annotationspomparent-artifactidjackson-parentfileversion2.9.0ManifestBundle-Version2.9.0ManifestImplementation-Version2.9.0pomversion2.9.0pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.9.0https://ossindex.sonatype.org/component/pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.9.0pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.9.0https://ossindex.sonatype.org/component/pkg:maven/com.fasterxml.jackson.core/jackson-annotations@2.9.0jackson-core-2.9.7.jar/home/user/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.9.7/jackson-core-2.9.7.jarae90e61fef491afefbc9c225b64977534b7f0e0dc527fab032e9800ed231080fdc3ac0159e5bc0efabd9f0cac5c1fdd9ae35b16332ed22a0ee19a356de370a18a8cb6c84Core Jackson processing abstractions (aka Streaming API), implementation for JSONhttp://www.apache.org/licenses/LICENSE-2.0.txtjava-demo-project:compilepomgroupidcom.fasterxml.jackson.coreManifestImplementation-VendorFasterXMLManifestautomatic-module-namecom.fasterxml.jackson.corejarpackage namefasterxmlManifestrequire-capabilityosgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"pomurlFasterXML/jackson-corepomartifactidjackson-corejarpackage namecorejarpackage namebasefilenamejackson-corejarpackage namejacksonpomparent-groupidcom.fasterxml.jacksonManifestbundle-symbolicnamecom.fasterxml.jackson.core.jackson-corepomgroupidfasterxml.jackson.corepomnameJackson-coreManifestImplementation-Vendor-Idcom.fasterxml.jackson.coreManifestbundle-docurlhttps://github.com/FasterXML/jackson-coreManifestimplementation-build-date2018-09-19 02:41:39+0000pomparent-artifactidjackson-baseManifestspecification-vendorFasterXMLjarpackage namejsonManifestautomatic-module-namecom.fasterxml.jackson.corejarpackage namefasterxmlManifestrequire-capabilityosgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"jarpackage namefilterjarpackage namecorejarpackage namebasepomartifactidjackson-corefilenamejackson-corejarpackage namejacksonManifestImplementation-TitleJackson-corepomparent-groupidcom.fasterxml.jacksonpomgroupidfasterxml.jackson.coreManifestbundle-symbolicnamecom.fasterxml.jackson.core.jackson-coreManifestspecification-titleJackson-corepomurlFasterXML/jackson-corepomnameJackson-coreManifestbundle-docurlhttps://github.com/FasterXML/jackson-coreManifestBundle-NameJackson-coreManifestimplementation-build-date2018-09-19 02:41:39+0000jarpackage namejsonpomparent-artifactidjackson-basejarpackage nameversionManifestImplementation-Version2.9.7ManifestBundle-Version2.9.7pomversion2.9.7fileversion2.9.7pkg:maven/com.fasterxml.jackson.core/jackson-core@2.9.7https://ossindex.sonatype.org/component/pkg:maven/com.fasterxml.jackson.core/jackson-core@2.9.7pkg:maven/com.fasterxml.jackson.core/jackson-core@2.9.7https://ossindex.sonatype.org/component/pkg:maven/com.fasterxml.jackson.core/jackson-core@2.9.7