Merge ~alexmurray/ubuntu-cve-tracker:fix-lp-2012327 into ubuntu-cve-tracker:master
Status: | Merged |
---|---|
Merged at revision: | 1d30b9e42ffefe2fb2cbfd4d05200f1b36c37915 |
Proposed branch: | ~alexmurray/ubuntu-cve-tracker:fix-lp-2012327 |
Merge into: | ubuntu-cve-tracker:master |
Diff against target: |
238 lines (+66/-34) 3 files modified
scripts/active_edit (+1/-1) scripts/cve_lib.py (+39/-33) scripts/test_cve_lib.py (+26/-0) |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Steve Beattie | Approve | ||
Review via email: mp+439296@code.launchpad.net |
Description of the change
Fixes LP: #2012327
[amurray:~/ubuntu … ubuntu-cve-tracker] fix-lp-
Loading /home/amurray/
Loading nvdcve-
97% [======
*******
CVE-2021-46877 (1/2: 50%)
https:/
*******
Published: 2023-03-18 22:15:00 UTC
MISC: https:/
MISC: https:/
=======
CVE-2021-46877
jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB transient heap usage per read) in uncommon situations involving JsonNode JDK serialization.
=======
Debian CVE Tracker: FOUND
NOTE: https:/
NOTE: https:/
NOTE: https:/
NOTE: https:/
Debian: jackson-databind: 2.13.2.2-1 (needs-triage)
Ubuntu: jackson-databind | 2.9.8-1~18.04 | bionic-
Ubuntu: jackson-databind | 2.10.2-1 | focal/universe
Ubuntu: jackson-databind | 2.13.0-2 | jammy/universe
Ubuntu: jackson-databind | 2.13.2.2-1 | kinetic/universe
Ubuntu: jackson-databind | 2.14.0-1 | lunar/universe
A]dd (or R]epeat), I]gnore forever, S]kip for now, or Q]uit? [add]
Package(s) affected? [jackson-databind]
Waiting for Emacs...
=======
Detecting packages built using: jackson-
=======
1 CVEs added
0 CVEs ignored
0 CVEs skipped
-------
1 total CVEs triaged
=======
/home/
?? pyrightconfig.json
Please remember to push the above changes if appropriate
[amurray:~/ubuntu … ubuntu-cve-tracker] fix-lp-
Candidate: CVE-2021-46877
PublicDate: 2023-03-21
References:
https:/
https:/
https:/
https:/
https:/
Description:
jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before
2.13.1 allows attackers to cause a denial of service (2 GB transient heap
usage per read) in uncommon situations involving JsonNode JDK
serialization.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: untriaged
Discovered-by:
Assigned-to:
CVSS:
Patches_
upstream_
trusty_
trusty/
xenial_
esm-apps/
bionic_
esm-apps/
focal_jackson-
esm-apps/
jammy_jackson-
esm-apps/
kinetic_
devel_jackson-
LGTM, and thanks for adding to the tests, appreciated!