Debian 10230 Published by

The following updates has been released for Debian GNU/Linux 8 LTS:

DLA 1703-1: jackson-databind security update
DLA 1704-1: nss security update



DLA 1703-1: jackson-databind security update




Package : jackson-databind
Version : 2.4.2-2+deb8u5
CVE ID : CVE-2018-11307 CVE-2018-12022 CVE-2018-12023 CVE-2018-14718
CVE-2018-14719 CVE-2018-14720 CVE-2018-14721 CVE-2018-19360
CVE-2018-19361 CVE-2018-19362

Several deserialization flaws were discovered in jackson-databind, a fast
and powerful JSON library for Java, which could allow an unauthenticated
user to perform code execution. The issue was resolved by extending
the blacklist and blocking more classes from polymorphic deserialization.

For Debian 8 "Jessie", these problems have been fixed in version
2.4.2-2+deb8u5.

We recommend that you upgrade your jackson-databind packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS


DLA 1704-1: nss security update

Package : nss
Version : 2:3.26-1+debu8u4
CVE ID : CVE-2018-12404 CVE-2018-18508
Debian Bug : 921614


Vulnerabilities have been discovered in nss, the Mozilla Network
Security Service library.

CVE-2018-12404

Cache side-channel variant of the Bleichenbacher attack

CVE-2018-18508

NULL pointer dereference in several CMS functions resulting in a
denial of service

For Debian 8 "Jessie", these problems have been fixed in version
2:3.26-1+debu8u4.

We recommend that you upgrade your nss packages.

Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS