Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Block one more gadget type (javax.swing, CVE-2020-10969) #2642

Closed
cowtowncoder opened this issue Mar 4, 2020 · 5 comments
Closed

Block one more gadget type (javax.swing, CVE-2020-10969) #2642

cowtowncoder opened this issue Mar 4, 2020 · 5 comments
Labels
CVE Issues related to public CVEs (security vuln reports)
Milestone
2.9.10.4

Comments

@cowtowncoder
Copy link
Member

cowtowncoder commented Mar 4, 2020
edited
Loading

Another gadget type reported regarding a class in javax.swing package..
See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.

Mitre id: CVE-2020-10969
Reporters: threedr3am

Fix will be included in:

  • 2.9.10.4
  • 2.8.11.6 (jackson-bom version 2.8.11.20200310)
  • 2.7.9.7
  • Does not affect 2.10.0 and later
@cowtowncoder cowtowncoder added the CVE Issues related to public CVEs (security vuln reports) label Mar 4, 2020
@cowtowncoder cowtowncoder mentioned this issue Mar 4, 2020
Closed
@cowtowncoder cowtowncoder added this to the 2.9.10.4 milestone Mar 4, 2020
@cowtowncoder
Copy link
Member Author

Issue fixed; CVE id request submitted.

qxo pushed a commit to qxo/jackson-databind that referenced this issue Mar 10, 2020
@cowtowncoder @qxo
Fix FasterXML#2642
88d8d75
cowtowncoder added a commit that referenced this issue Mar 10, 2020
@cowtowncoder
Fix #2642
6ba4845
@cowtowncoder cowtowncoder changed the title Block one more gadget type (javax.swing, CVE-to-be-allocated) Block one more gadget type (javax.swing, CVE-2020-10969) Mar 26, 2020
@terryvdgriend
Copy link

@cowtowncoder Is there any indication when 2.9.10.4 is going to be released? Since the CVE is now being picked up by reporters.

@cowtowncoder
Copy link
Member Author

@terryvdgriend In future please ask questions on mailing list (https://groups.google.com/forum/#!forum/jackson-user). Issue reports are getting spammed with this same question over and over.
2.9.10.4 will be out when it's ready, hopefully next weekend. But as long as new types to block keep on being submitted 1-2 per week it gets delayed. Right now there is apparently 1 more to be submitted.

@terryvdgriend
Copy link

Thanks for the clarification, sorry for the inconvenience!

@cowtowncoder
Copy link
Member Author

@terryvdgriend np, I understand that there is a good reason to wish for a security patch ASAP. Just wish I had a better way of keeping everyone informed...

martokarski pushed a commit to atlassian/jackson-1 that referenced this issue May 8, 2020
@mtokarski-atlassian
Block one more gadget type (javax.swing, CVE-2020-10969)
5010c29 
Merged from FasterXML/jackson-databind#2642
This was referenced May 10, 2022
Open
Open
@scott-cx scott-cx mentioned this issue Aug 1, 2022
Open
@cxronen cxronen mentioned this issue Sep 20, 2022
Open
@margaritalm margaritalm mentioned this issue Dec 25, 2022
Open
@cxronen cxronen mentioned this issue Apr 13, 2023
Open
@cxronen cxronen mentioned this issue May 25, 2023
Open
@cxronen cxronen mentioned this issue May 25, 2023
Open
@stschott stschott mentioned this issue Sep 23, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
CVE Issues related to public CVEs (security vuln reports)
Projects
None yet
Milestone
2.9.10.4
Development

No branches or pull requests
2 participants
@cowtowncoder @terryvdgriend