ALSA-2020:1644

Source
https://errata.almalinux.org/8/ALSA-2020-1644.html
Import Source
https://github.com/AlmaLinux/osv-database/blob/master/advisories/almalinux8/ALSA-2020:1644.json
JSON Data
https://api.osv.dev/v1/vulns/ALSA-2020:1644
Related
Published
2020-04-28T09:00:20Z
Modified
2020-04-28T09:00:04Z
Summary
Moderate: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update
Details

The Public Key Infrastructure (PKI) Core contains fundamental packages required by AlmaLinux Certificate System.

Security Fix(es):

  • jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig (CVE-2019-14540)

  • jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource (CVE-2019-16335)

  • jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources.* (CVE-2019-16942)

  • jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource (CVE-2019-16943)

  • jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.* (CVE-2019-17531)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the AlmaLinux Release Notes linked from the References section.

References

Affected packages

AlmaLinux:8 / apache-commons-collections

Package

Name
apache-commons-collections

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.2.2-10.module_el8.5.0+2577+9e95fe00

AlmaLinux:8 / apache-commons-lang

Package

Name
apache-commons-lang

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.6-21.module_el8.5.0+2577+9e95fe00

AlmaLinux:8 / bea-stax-api

Package

Name
bea-stax-api

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.0-16.module_el8.5.0+2577+9e95fe00

AlmaLinux:8 / glassfish-fastinfoset

Package

Name
glassfish-fastinfoset

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2.13-9.module_el8.5.0+2577+9e95fe00

AlmaLinux:8 / glassfish-jaxb-api

Package

Name
glassfish-jaxb-api

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.2.12-8.module_el8.5.0+2577+9e95fe00

AlmaLinux:8 / glassfish-jaxb-core

Package

Name
glassfish-jaxb-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.2.11-11.module_el8.5.0+2577+9e95fe00

AlmaLinux:8 / glassfish-jaxb-runtime

Package

Name
glassfish-jaxb-runtime

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.2.11-11.module_el8.5.0+2577+9e95fe00

AlmaLinux:8 / glassfish-jaxb-txw2

Package

Name
glassfish-jaxb-txw2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.2.11-11.module_el8.5.0+2577+9e95fe00

AlmaLinux:8 / jackson-annotations

Package

Name
jackson-annotations

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.10.0-1.module_el8.5.0+2577+9e95fe00

AlmaLinux:8 / jackson-core

Package

Name
jackson-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.10.0-1.module_el8.5.0+2577+9e95fe00

AlmaLinux:8 / jackson-databind

Package

Name
jackson-databind

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.10.0-1.module_el8.5.0+2577+9e95fe00

AlmaLinux:8 / jackson-jaxrs-json-provider

Package

Name
jackson-jaxrs-json-provider

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.9.9-1.module_el8.5.0+2577+9e95fe00

AlmaLinux:8 / jackson-jaxrs-providers

Package

Name
jackson-jaxrs-providers

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.9.9-1.module_el8.5.0+2577+9e95fe00

AlmaLinux:8 / jackson-module-jaxb-annotations

Package

Name
jackson-module-jaxb-annotations

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.7.6-4.module_el8.5.0+2577+9e95fe00

AlmaLinux:8 / jakarta-commons-httpclient

Package

Name
jakarta-commons-httpclient

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1:3.1-28.module_el8.5.0+2577+9e95fe00

AlmaLinux:8 / javassist

Package

Name
javassist

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.18.1-8.module_el8.5.0+2577+9e95fe00

AlmaLinux:8 / javassist-javadoc

Package

Name
javassist-javadoc

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.18.1-8.module_el8.5.0+2577+9e95fe00

AlmaLinux:8 / python-nss-doc

Package

Name
python-nss-doc

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.1-10.module_el8.5.0+2577+9e95fe00.alma

AlmaLinux:8 / python3-nss

Package

Name
python3-nss

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.1-10.module_el8.5.0+2577+9e95fe00.alma

AlmaLinux:8 / relaxngDatatype

Package

Name
relaxngDatatype

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2011.1-7.module_el8.5.0+2577+9e95fe00

AlmaLinux:8 / slf4j

Package

Name
slf4j

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.7.25-4.module_el8.5.0+2577+9e95fe00

AlmaLinux:8 / slf4j-jdk14

Package

Name
slf4j-jdk14

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.7.25-4.module_el8.5.0+2577+9e95fe00

AlmaLinux:8 / stax-ex

Package

Name
stax-ex

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.7.7-8.module_el8.5.0+2577+9e95fe00

AlmaLinux:8 / velocity

Package

Name
velocity

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.7-24.module_el8.5.0+2577+9e95fe00

AlmaLinux:8 / xalan-j2

Package

Name
xalan-j2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.7.1-38.module_el8.5.0+2577+9e95fe00

AlmaLinux:8 / xerces-j2

Package

Name
xerces-j2

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.11.0-34.module_el8.5.0+2577+9e95fe00

AlmaLinux:8 / xml-commons-apis

Package

Name
xml-commons-apis

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.01-25.module_el8.5.0+2577+9e95fe00

AlmaLinux:8 / xml-commons-resolver

Package

Name
xml-commons-resolver

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.2-26.module_el8.5.0+2577+9e95fe00

AlmaLinux:8 / xmlstreambuffer

Package

Name
xmlstreambuffer

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.5.4-8.module_el8.5.0+2577+9e95fe00

AlmaLinux:8 / xsom

Package

Name
xsom

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0-19.20110809svn.module_el8.5.0+2577+9e95fe00