| 2023-03-21 03:26:08 |
Steve Beattie |
description |
When a CVE has been issued for an older issue where the fix landed in a release earlier than the devel release, check-cves / active-edit is setting the state of the esm-apps releases incorrectly.
An example CVE that I hit today where this occurs is for CVE-2021-46877 affecting jackson-databind:
$ ./scripts/check-cves --cve CVE-2021-46877 nvdcve-1.1-2021.json
Loading /home/steve/git/cve_trackers/debian-security-tracker/data/CVE/list ...
Loading nvdcve-1.1-2021.json ...
97% [==================================================================================================== ] 130438317 ETA: 0:00:00
***********************************************************************
CVE-2021-46877 (1/1: 100%)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46877
***********************************************************************
Published: 2023-03-18 22:15:00 UTC
MISC: https://github.com/FasterXML/jackson-databind/issues/3328
MISC: https://groups.google.com/g/jackson-user/c/OsBsirPM_Vw
======================== CVE details ==========================
CVE-2021-46877
jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB tra
nsient heap usage per read) in uncommon situations involving JsonNode JDK serialization.
======================= Debian details ========================
Debian CVE Tracker: FOUND
NOTE: https://groups.google.com/g/jackson-user/c/OsBsirPM_Vw
NOTE: https://github.com/FasterXML/jackson-databind/issues/3328
NOTE: https://github.com/FasterXML/jackson-databind/commit/3ccde7d938fea547e598fdefe9a82cff37fed5cb (jackson-databind-2.12.6)
NOTE: https://github.com/FasterXML/jackson-databind/commit/3ccde7d938fea547e598fdefe9a82cff37fed5cb (jackson-databind-3.13.1)
Debian: jackson-databind: 2.13.2.2-1 (needs-triage)
Ubuntu: jackson-databind | 2.9.8-1~18.04 | bionic-updates/universe
Ubuntu: jackson-databind | 2.10.2-1 | focal/universe
Ubuntu: jackson-databind | 2.13.0-2 | jammy/universe
Ubuntu: jackson-databind | 2.13.2.2-1 | kinetic/universe
Ubuntu: jackson-databind | 2.14.0-1 | lunar/universe
A]dd (or R]epeat), I]gnore forever, S]kip for now, or Q]uit? [add]
Package(s) affected? [jackson-databind]
# This results in the following CVE file generated:
Candidate: CVE-2021-46877
PublicDate: 2023-03-21
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46877
https://groups.google.com/g/jackson-user/c/OsBsirPM_Vw
https://github.com/FasterXML/jackson-databind/issues/3328
https://github.com/FasterXML/jackson-databind/commit/3ccde7d938fea547e598fdefe9a82cff37fed5cb (jackson-databind-2.12.6)
https://github.com/FasterXML/jackson-databind/commit/3ccde7d938fea547e598fdefe9a82cff37fed5cb (jackson-databind-3.13.1)
Description:
jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before
2.13.1 allows attackers to cause a denial of service (2 GB transient heap
usage per read) in uncommon situations involving JsonNode JDK
serialization.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: untriaged
Discovered-by:
Assigned-to:
CVSS:
Patches_jackson-databind:
upstream_jackson-databind: released (2.13.2.2-1)
trusty_jackson-databind: ignored (out of standard support)
xenial_jackson-databind: ignored (out of standard support)
bionic_jackson-databind: needs-triage
focal_jackson-databind: needs-triage
jammy_jackson-databind: needs-triage
kinetic_jackson-databind: not-affected (2.13.2.2-1)
trusty/esm_jackson-databind: not-affected
esm-apps/xenial_jackson-databind: not-affected
esm-apps/bionic_jackson-databind: not-affected
esm-apps/focal_jackson-databind: not-affected
esm-apps/jammy_jackson-databind: not-affected
devel_jackson-databind: not-affected
Note that the version that debian notated was fixed landed in the kinetic cycle, so check-cves or active_edit correctly marked that version as not-affected with the version, and then attempted to mark all later versions (which would just be the devel version (lunar), but instead marked trusty/esm and all the esm-apps versions as not-affected. |
When a CVE has been issued for an older issue where the fix landed in a release earlier than the devel release, check-cves / active-edit is setting the state of the esm-apps releases incorrectly.
An example CVE that I hit today where this occurs is for CVE-2021-46877 affecting jackson-databind:
$ ./scripts/check-cves --cve CVE-2021-46877 nvdcve-1.1-2021.json
Loading /home/steve/git/cve_trackers/debian-security-tracker/data/CVE/list ...
Loading nvdcve-1.1-2021.json ...
97% [==================================================================================================== ] 130438317 ETA: 0:00:00
***********************************************************************
CVE-2021-46877 (1/1: 100%)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46877
***********************************************************************
Published: 2023-03-18 22:15:00 UTC
MISC: https://github.com/FasterXML/jackson-databind/issues/3328
MISC: https://groups.google.com/g/jackson-user/c/OsBsirPM_Vw
======================== CVE details ==========================
CVE-2021-46877
jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before 2.13.1 allows attackers to cause a denial of service (2 GB tra
nsient heap usage per read) in uncommon situations involving JsonNode JDK serialization.
======================= Debian details ========================
Debian CVE Tracker: FOUND
NOTE: https://groups.google.com/g/jackson-user/c/OsBsirPM_Vw
NOTE: https://github.com/FasterXML/jackson-databind/issues/3328
NOTE: https://github.com/FasterXML/jackson-databind/commit/3ccde7d938fea547e598fdefe9a82cff37fed5cb (jackson-databind-2.12.6)
NOTE: https://github.com/FasterXML/jackson-databind/commit/3ccde7d938fea547e598fdefe9a82cff37fed5cb (jackson-databind-3.13.1)
Debian: jackson-databind: 2.13.2.2-1 (needs-triage)
Ubuntu: jackson-databind | 2.9.8-1~18.04 | bionic-updates/universe
Ubuntu: jackson-databind | 2.10.2-1 | focal/universe
Ubuntu: jackson-databind | 2.13.0-2 | jammy/universe
Ubuntu: jackson-databind | 2.13.2.2-1 | kinetic/universe
Ubuntu: jackson-databind | 2.14.0-1 | lunar/universe
A]dd (or R]epeat), I]gnore forever, S]kip for now, or Q]uit? [add]
Package(s) affected? [jackson-databind]
# This results in the following CVE file generated:
Candidate: CVE-2021-46877
PublicDate: 2023-03-21
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46877
https://groups.google.com/g/jackson-user/c/OsBsirPM_Vw
https://github.com/FasterXML/jackson-databind/issues/3328
https://github.com/FasterXML/jackson-databind/commit/3ccde7d938fea547e598fdefe9a82cff37fed5cb (jackson-databind-2.12.6)
https://github.com/FasterXML/jackson-databind/commit/3ccde7d938fea547e598fdefe9a82cff37fed5cb (jackson-databind-3.13.1)
Description:
jackson-databind 2.10.x through 2.12.x before 2.12.6 and 2.13.x before
2.13.1 allows attackers to cause a denial of service (2 GB transient heap
usage per read) in uncommon situations involving JsonNode JDK
serialization.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: untriaged
Discovered-by:
Assigned-to:
CVSS:
Patches_jackson-databind:
upstream_jackson-databind: released (2.13.2.2-1)
trusty_jackson-databind: ignored (out of standard support)
xenial_jackson-databind: ignored (out of standard support)
bionic_jackson-databind: needs-triage
focal_jackson-databind: needs-triage
jammy_jackson-databind: needs-triage
kinetic_jackson-databind: not-affected (2.13.2.2-1)
trusty/esm_jackson-databind: not-affected
esm-apps/xenial_jackson-databind: not-affected
esm-apps/bionic_jackson-databind: not-affected
esm-apps/focal_jackson-databind: not-affected
esm-apps/jammy_jackson-databind: not-affected
devel_jackson-databind: not-affected
Note that the version that debian notated was fixed landed in the kinetic cycle, so check-cves or active_edit correctly marked that version as not-affected with the version, and then attempted to mark all later versions (which would just be the devel version (lunar), but instead marked trusty/esm and all the esm-apps versions as not-affected, rather than the needs-triage that they should be. |
|
