Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Block one more gadget type (activemq-pool[-jms], CVE-2020-11111) #2664

Closed
cowtowncoder opened this issue Mar 24, 2020 · 2 comments
Closed

Block one more gadget type (activemq-pool[-jms], CVE-2020-11111) #2664

cowtowncoder opened this issue Mar 24, 2020 · 2 comments
Labels
CVE Issues related to public CVEs (security vuln reports)
Milestone

Comments

@cowtowncoder
Copy link
Member

cowtowncoder commented Mar 24, 2020

Another gadget type(s) reported regarding classes of org.apache.activemq:activemq-pool, org.apache.activemq:activemq-pool-jms libraries.
See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.

Mitre id: CVE-2020-11111
Reporter: Srikanth Ramu

Fix will be included in:

  • 2.9.10.4
  • Does not affect 2.10.0 and later
@cowtowncoder cowtowncoder changed the title Block one more gadget type (...) Block one more gadget type (activemq) Mar 24, 2020
@cowtowncoder cowtowncoder added 2.9 CVE Issues related to public CVEs (security vuln reports) labels Mar 25, 2020
cowtowncoder added a commit that referenced this issue Mar 25, 2020
@cowtowncoder cowtowncoder changed the title Block one more gadget type (activemq) Block one more gadget type (activemq-jms) Mar 25, 2020
@cowtowncoder cowtowncoder reopened this Mar 26, 2020
cowtowncoder added a commit that referenced this issue Mar 26, 2020
@cowtowncoder cowtowncoder changed the title Block one more gadget type (activemq-jms) Block one more gadget type (activemq-pool[-jms]) Mar 26, 2020
@cowtowncoder cowtowncoder changed the title Block one more gadget type (activemq-pool[-jms]) Block one more gadget type (activemq-pool[-jms], CVE-2020-11111) Apr 1, 2020
@juliojgd
Copy link

juliojgd commented Apr 1, 2020

Do you have an estimated date for 2.9.10.4 release?

@cowtowncoder
Copy link
Member Author

No firm date. It will keep moving as long as I keep receiving new reports. But hoping it may be done over upcoming weekend (4th - 5th april).

martokarski pushed a commit to atlassian/jackson-1 that referenced this issue May 8, 2020
qxo added a commit to qxo/jackson-databind that referenced this issue Sep 21, 2020
…L#2659 FasterXML#2660 FasterXML#2662 FasterXML#2664 FasterXML#2666 FasterXML#2670 FasterXML#2680 FasterXML#2682 FasterXML#2688 FasterXML#2698 FasterXML#2704 FasterXML#2765 FasterXML#2798 FasterXML#2814 FasterXML#2826 FasterXML#2827 FasterXML#2854

1. generated diff CVE diff
git diff ad5a630 -- src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java

2. cleanup the diff ,just remain the CVE change

3. apply the diff

4. check and make sure only commit the AutoType CVE change.

```
PR_LIST=$(git log1 -n 17 ad5a630 -- src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java | awk -F'[ ,]+' '{for(i=1;i<=NF;i++){a=$(i);if(match(a,/#[0-9]+/)){print a;}}}' | sort | uniq);echo "$PR_LIST" | wc -l
echo $PR_LIST
```
cowtowncoder pushed a commit that referenced this issue Sep 22, 2020
 #2670 #2680 #2682 #2688 #2698 #2704 #2765 #2798 #2814 #2826 #2827 #2854 (#2858)

1. generated diff CVE diff
git diff ad5a630 -- src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java

2. cleanup the diff ,just remain the CVE change

3. apply the diff

4. check and make sure only commit the AutoType CVE change.

```
PR_LIST=$(git log1 -n 17 ad5a630 -- src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java | awk -F'[ ,]+' '{for(i=1;i<=NF;i++){a=$(i);if(match(a,/#[0-9]+/)){print a;}}}' | sort | uniq);echo "$PR_LIST" | wc -l
echo $PR_LIST
```
@cowtowncoder cowtowncoder added this to the 2.9.10.4 milestone Dec 2, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
CVE Issues related to public CVEs (security vuln reports)
Projects
None yet
Development

No branches or pull requests

2 participants