Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Block one more gadget type (activemq-pool[-jms], CVE-2020-11111) #2664

Closed
cowtowncoder opened this issue Mar 24, 2020 · 2 comments
Closed

Block one more gadget type (activemq-pool[-jms], CVE-2020-11111) #2664

cowtowncoder opened this issue Mar 24, 2020 · 2 comments
Labels
CVE Issues related to public CVEs (security vuln reports)
Milestone
2.9.10.4

Comments

@cowtowncoder
Copy link
Member

cowtowncoder commented Mar 24, 2020
edited
Loading

Another gadget type(s) reported regarding classes of org.apache.activemq:activemq-pool, org.apache.activemq:activemq-pool-jms libraries.
See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.

Mitre id: CVE-2020-11111
Reporter: Srikanth Ramu

Fix will be included in:

  • 2.9.10.4
  • Does not affect 2.10.0 and later
@cowtowncoder cowtowncoder changed the title Block one more gadget type (...) Block one more gadget type (activemq) Mar 24, 2020
@cowtowncoder cowtowncoder added 2.9 CVE Issues related to public CVEs (security vuln reports) labels Mar 25, 2020
cowtowncoder added a commit that referenced this issue Mar 25, 2020
@cowtowncoder
Fix #2662, #2664, #2666
05d7e0e
@cowtowncoder cowtowncoder changed the title Block one more gadget type (activemq) Block one more gadget type (activemq-jms) Mar 25, 2020
@cowtowncoder cowtowncoder reopened this Mar 26, 2020
cowtowncoder added a commit that referenced this issue Mar 26, 2020
@cowtowncoder
Further additions wrt #2664
c14c9f9
@cowtowncoder cowtowncoder changed the title Block one more gadget type (activemq-jms) Block one more gadget type (activemq-pool[-jms]) Mar 26, 2020
@cowtowncoder cowtowncoder changed the title Block one more gadget type (activemq-pool[-jms]) Block one more gadget type (activemq-pool[-jms], CVE-2020-11111) Apr 1, 2020
@juliojgd
Copy link

juliojgd commented Apr 1, 2020

Do you have an estimated date for 2.9.10.4 release?

@cowtowncoder
Copy link
Member Author

No firm date. It will keep moving as long as I keep receiving new reports. But hoping it may be done over upcoming weekend (4th - 5th april).

martokarski pushed a commit to atlassian/jackson-1 that referenced this issue May 8, 2020
@mtokarski-atlassian
Block one more gadget type (activemq-pool[-jms], CVE-2020-11111)
71128a4 
Merged from FasterXML/jackson-databind#2664
qxo added a commit to qxo/jackson-databind that referenced this issue Sep 21, 2020
@qxo
fix: merge fix from 2.9 branch FasterXML#2653 FasterXML#2658 FasterXM…
7e70e8e 
…L#2659 FasterXML#2660 FasterXML#2662 FasterXML#2664 FasterXML#2666 FasterXML#2670 FasterXML#2680 FasterXML#2682 FasterXML#2688 FasterXML#2698 FasterXML#2704 FasterXML#2765 FasterXML#2798 FasterXML#2814 FasterXML#2826 FasterXML#2827 FasterXML#2854

1. generated diff CVE diff
git diff ad5a630 -- src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java

2. cleanup the diff ,just remain the CVE change

3. apply the diff

4. check and make sure only commit the AutoType CVE change.

```
PR_LIST=$(git log1 -n 17 ad5a630 -- src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java | awk -F'[ ,]+' '{for(i=1;i<=NF;i++){a=$(i);if(match(a,/#[0-9]+/)){print a;}}}' | sort | uniq);echo "$PR_LIST" | wc -l
echo $PR_LIST
```
@qxo qxo mentioned this issue Sep 21, 2020
Merged
cowtowncoder pushed a commit that referenced this issue Sep 22, 2020
@qxo
fix: merge fix from 2.9 branch #2653 #2658 #2659 #2660 #2662 #2664 #2666
08fbfac 
 #2670 #2680 #2682 #2688 #2698 #2704 #2765 #2798 #2814 #2826 #2827 #2854 (#2858)

1. generated diff CVE diff
git diff ad5a630 -- src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java

2. cleanup the diff ,just remain the CVE change

3. apply the diff

4. check and make sure only commit the AutoType CVE change.

```
PR_LIST=$(git log1 -n 17 ad5a630 -- src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java | awk -F'[ ,]+' '{for(i=1;i<=NF;i++){a=$(i);if(match(a,/#[0-9]+/)){print a;}}}' | sort | uniq);echo "$PR_LIST" | wc -l
echo $PR_LIST
```
@cowtowncoder cowtowncoder added this to the 2.9.10.4 milestone Dec 2, 2020
This was referenced May 10, 2022
Open
Open
@scott-cx scott-cx mentioned this issue Aug 1, 2022
Open
@cxronen cxronen mentioned this issue Sep 20, 2022
Open
@margaritalm margaritalm mentioned this issue Dec 25, 2022
Open
This was referenced Feb 15, 2023
Open
Open
@cxronen cxronen mentioned this issue May 25, 2023
Open
@stschott stschott mentioned this issue Sep 23, 2024
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
CVE Issues related to public CVEs (security vuln reports)
Projects
None yet
Milestone
2.9.10.4
Development

No branches or pull requests
2 participants
@cowtowncoder @juliojgd