--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2019-df57551f6d
2019-02-19 13:59:57.021257
--------------------------------------------------------------------------------
Name : jackson-dataformat-xml
Product : Fedora 29
Version : 2.9.8
Release : 1.fc29
URL :
https://github.com/FasterXML/jackson-dataformat-xml
Summary : Jackson extension component for reading and writing XML encoded data
Description :
Data format extension for Jackson (
http://jackson.codehaus.org)
to offer alternative support for serializing POJOs as XML and
deserializing XML as POJOs. Support implemented on top of Stax API
(javax.xml.stream), by implementing core Jackson Streaming API types
like JsonGenerator, JsonParser and JsonFactory. Some data-binding types
overridden as well (ObjectMapper sub-classed as XmlMapper).
--------------------------------------------------------------------------------
Update Information:
Fixes CVE-2018-14718 CVE-2018-14719 CVE-2018-19360 CVE-2018-19361 CVE-2018-19362
CVE-2018-12022 CVE-2018-12023 CVE-2018-14720 CVE-2018-14721 and CVE-2016-7051.
--------------------------------------------------------------------------------
ChangeLog:
* Wed Feb 6 2019 Mat Booth <mat.booth(a)redhat.com> - 2.9.8-1
- Update to latest upstream release
* Fri Feb 1 2019 Fedora Release Engineering <releng(a)fedoraproject.org> - 2.9.4-4
- Rebuilt for
https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
--------------------------------------------------------------------------------
References:
[ 1 ] Bug #1555900 - jackson-datatype-jdk8: FTBFS in F28
https://bugzilla.redhat.com/show_bug.cgi?id=1555900
[ 2 ] Bug #1604397 - jackson-datatype-jdk8: FTBFS in Fedora rawhide
https://bugzilla.redhat.com/show_bug.cgi?id=1604397
[ 3 ] Bug #1671098 - CVE-2018-12022 jackson-databind: improper polymorphic
deserialization of types from Jodd-db library [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1671098
[ 4 ] Bug #1666490 - CVE-2018-19362 jackson-databind: improper polymorphic
deserialization in jboss-common-core class [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1666490
[ 5 ] Bug #1666486 - CVE-2018-19361 jackson-databind: improper polymorphic
deserialization in openjpa class [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1666486
[ 6 ] Bug #1666483 - CVE-2018-19360 jackson-databind: improper polymorphic
deserialization in axis2-transport-jms class [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1666483
[ 7 ] Bug #1666429 - CVE-2018-14721 jackson-databind: server-side request forgery (SSRF)
in axis2-jaxws class [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1666429
[ 8 ] Bug #1666424 - CVE-2018-14720 jackson-databind: exfiltration/XXE in some JDK
classes [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1666424
[ 9 ] Bug #1666419 - CVE-2018-14719 jackson-databind: arbitrary code execution in
blaze-ds-opt and blaze-ds-core classes [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1666419
[ 10 ] Bug #1666416 - CVE-2018-14718 jackson-databind: arbitrary code execution in
slf4j-ext class [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1666416
[ 11 ] Bug #1380206 - CVE-2016-7051 jackson-dataformat-xml: XmlMapper is vulnerable to
SSRF attack [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1380206
[ 12 ] Bug #1672925 - bouncycastle-1.61 is available
https://bugzilla.redhat.com/show_bug.cgi?id=1672925
[ 13 ] Bug #1667118 - CVE-2018-1000873 jackson-datatype-jsr310: jackson-modules-java8:
DoS due to an Improper Input Validation [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1667118
[ 14 ] Bug #1671099 - CVE-2018-12023 jackson-databind: improper polymorphic
deserialization of types from Oracle JDBC driver [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1671099
--------------------------------------------------------------------------------
This update can be installed with the "dnf" update program. Use
su -c 'dnf upgrade --advisory FEDORA-2019-df57551f6d' at the command
line. For more information, refer to the dnf documentation available at
http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label
All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------