Bug#961298: jodd: CVE-2018-21234: Potential vulnerability in JSON deserialization
Salvatore Bonaccorso
carnil at debian.org
Mon Mar 1 09:54:31 GMT 2021
Hi Emmanuel,
On Sat, May 30, 2020 at 02:50:32PM +0200, Emmanuel Bourg wrote:
> Control: severity -1 important
>
> Le 22/05/2020 à 22:51, Salvatore Bonaccorso a écrit :
>
> > The following vulnerability was published for jodd. I'm filling it as
> > RC severity since altough one might dispute the severity for the issue
> > itself, it looks that in Debian there was ever only one upload of
> > jodd, there are no reverse (build) dependencies neither.
> >
> > Is the package acutally of some use or planned use?
>
> Thank you for the report Salvatore.
>
> jodd is a new dependency of JMeter 3, I haven't finished the packaging yet.
>
> Note that the fix for CVE-2018-21234 merely adds an optional
> whitelisting feature to check the classes being deserialized. But the
> default behavior is still the same (no check), so the charge of
> addressing the vulnerability is actually shifted to the applications
> using jodd.
Back when we lowered the severity this above was the reasoning, but
jmeter 3 is not in bullseye.
So should we remove src:yodd to at least not be included in bullseye?
According to dak this is no problem to do:
carnil at coccia:~$ dak rm --suite=testing -n -R jodd
Will remove the following packages from testing:
jodd | 3.8.6-1.1 | source
libjodd-java | 3.8.6-1.1 | all
Maintainer: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.org>
------------------- Reason -------------------
----------------------------------------------
Checking reverse dependencies...
No dependency problem found.
carnil at coccia:~$
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list