The following updates has been released for Debian GNU/Linux 8 LTS:
DLA 1703-1: jackson-databind security update
DLA 1704-1: nss security update
DLA 1703-1: jackson-databind security update
DLA 1704-1: nss security update
DLA 1703-1: jackson-databind security update
Package : jackson-databind
Version : 2.4.2-2+deb8u5
CVE ID : CVE-2018-11307 CVE-2018-12022 CVE-2018-12023 CVE-2018-14718
CVE-2018-14719 CVE-2018-14720 CVE-2018-14721 CVE-2018-19360
CVE-2018-19361 CVE-2018-19362
Several deserialization flaws were discovered in jackson-databind, a fast
and powerful JSON library for Java, which could allow an unauthenticated
user to perform code execution. The issue was resolved by extending
the blacklist and blocking more classes from polymorphic deserialization.
For Debian 8 "Jessie", these problems have been fixed in version
2.4.2-2+deb8u5.
We recommend that you upgrade your jackson-databind packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
DLA 1704-1: nss security update
Package : nss
Version : 2:3.26-1+debu8u4
CVE ID : CVE-2018-12404 CVE-2018-18508
Debian Bug : 921614
Vulnerabilities have been discovered in nss, the Mozilla Network
Security Service library.
CVE-2018-12404
Cache side-channel variant of the Bleichenbacher attack
CVE-2018-18508
NULL pointer dereference in several CMS functions resulting in a
denial of service
For Debian 8 "Jessie", these problems have been fixed in version
2:3.26-1+debu8u4.
We recommend that you upgrade your nss packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
