Security update for jackson-databind, jackson-dataformats-binary, jackson-annotations, jackson-bom, jackson-core
Announcement ID: | SUSE-SU-2022:1678-1 |
---|---|
Rating: | important |
References: | |
Cross-References: | |
CVSS scores: |
|
Affected Products: |
|
An update that solves three vulnerabilities can now be installed.
Description:
This update for jackson-databind, jackson-dataformats-binary, jackson-annotations, jackson-bom, jackson-core fixes the following issues:
Security issues fixed:
- CVE-2020-36518: Fixed a Java stack overflow exception and denial of service via a large depth of nested objects in jackson-databind. (bsc#1197132)
- CVE-2020-25649: Fixed an insecure entity expansion in jackson-databind which was vulnerable to XML external entity (XXE). (bsc#1177616)
- CVE-2020-28491: Fixed a bug which could cause
java.lang.OutOfMemoryError
exception in jackson-dataformats-binary. (bsc#1182481)
Non security fixes:
jackson-annotations - update from version 2.10.2 to version 2.13.0:
- Build with source/target levels 8
- Add 'mvnw' wrapper
- 'JsonSubType.Type' should accept array of names
- Jackson version alignment with Gradle 6
- Add '@JsonIncludeProperties'
- Add '@JsonTypeInfo(use=DEDUCTION)'
- Ability to use '@JsonAnyGetter' on fields
- Add '@JsonKey' annotation
- Allow repeated calls to 'SimpleObjectIdResolver.bindItem()' for same mapping
- Add 'namespace' property for '@JsonProperty' (for XML module)
- Add target 'ElementType.ANNOTATION_TYPE' for '@JsonEnumDefaultValue'
- 'JsonPattern.Value.pattern' retained as "", never (accidentally) exposed as 'null'
- Rewrite to use
ant
for building in order to be able to use it in packages that have to be built before maven
jackson-bom - update from version 2.10.2 to version 2.13.0:
- Configure moditect plugin with '<jvmVersion>11</jvmVersion>'
- jackson-bom manages the version of 'junit:junit'
- Drop 'jackson-datatype-hibernate3' (support for Hibernate 3.x datatypes)
- Removed "jakarta" classifier variants of JAXB/JSON-P/JAX-RS modules due to the addition of new Jakarta artifacts (Jakarta-JSONP, Jakarta-xmlbind-annotations, Jakarta-rs-providers)
- Add version for 'jackson-datatype-jakarta-jsonp' module (introduced after 2.12.2)
- Add (beta) version for 'jackson-dataformat-toml'
- Jakarta 9 artifact versions are missing from jackson-bom
- Add default settings for 'gradle-module-metadata-maven-plugin' (gradle metadata)
- Add default settings for 'build-helper-maven-plugin'
- Drop 'jackson-module-scala_2.10' entry (not released for Jackson 2.12 or later)
- Add override for 'version.plugin.bundle' (for 5.1.1) to help build on JDK 15+
- Add missing version for jackson-datatype-eclipse-collections
jackson-core - update from version 2.10.2 to version 2.13.0:
- Build with source and target levels 8
- Misleading exception for input source when processing byte buffer with start offset
- Escape contents of source document snippet for 'JsonLocation._appendSourceDesc()'
- Add 'StreamWriteException' type to eventually replace 'JsonGenerationException'
- Replace 'getCurrentLocation()'/'getTokenLocation()' with 'currentLocation()'/'currentTokenLocation()' in 'JsonParser'
- Replace 'JsonGenerator.writeObject()' (and related) with 'writePOJO()'
- Replace 'getCurrentValue()'/'setCurrentValue()' with 'currentValue()'/'assignCurrentValue()' in 'JsonParser'/'JsonGenerator
- Introduce O(n^1.5) BigDecimal parser implementation
- ByteQuadsCanonicalizer.addName(String, int, int) has incorrect handling for case of q2 == null
- UTF32Reader ArrayIndexOutOfBoundsException
- Improve exception/JsonLocation handling for binary content: don't show content, include byte offset
- Fix an issue with the TokenFilter unable to ignore properties when deserializing.
- Optimize array allocation by 'JsonStringEncoder'
- Add 'mvnw' wrapper
- (partial) Optimize array allocation by 'JsonStringEncoder'
- Add back accidentally removed 'JsonStringEncoder' related methods in 'BufferRecyclers' (like 'getJsonStringEncoder()')
- 'ArrayOutOfBoundException' at 'WriterBasedJsonGenerator.writeString(Reader, int)'
- Allow "optional-padding" for 'Base64Variant'
- More customizable TokenFilter inclusion (using 'Tokenfilter.Inclusion')
- Publish Gradle Module Metadata
- Add 'StreamReadCapability' for further format-based/format-agnostic handling improvements
- Add 'JsonParser.isExpectedNumberIntToken()' convenience method
- Add 'StreamWriteCapability' for further format-based/format-agnostic handling improvements
- Add 'JsonParser.getNumberValueExact()' to allow precision-retaining buffering
- Limit initial allocated block size by 'ByteArrayBuilder' to max block size
- Add 'JacksonException' as parent class of 'JsonProcessingException'
- Make 'JsonWriteContext.reset()' and 'JsonReadContext.reset()' methods public
- Deprecate 'JsonParser.getCurrentTokenId()' (use '#currentTokenId()' instead)
- Full "LICENSE" included in jar for easier access by compliancy tools
- Fix NPE in 'writeNumber(String)' method of 'UTF8JsonGenerator', 'WriterBasedJsonGenerator'
- Add a String Array write method in the Streaming API
- Synchronize variants of 'JsonGenerator#writeNumberField' with 'JsonGenerator#writeNumber'
- Add JsonGenerator#writeNumber(char[], int, int) method
- Do not clear aggregated contents of 'TextBuffer' when 'releaseBuffers()' called
- 'FilteringGeneratorDelegate' does not handle 'writeString(Reader, int)'
- Optionally allow leading decimal in float tokens
- Rewrite to use ant for building in order to be able to use it in packages that have to be built before maven
- Parsing JSON with 'ALLOW_MISSING_VALUE' enabled results in endless stream of 'VALUE_NULL' tokens
- Handle case when system property access is restricted
- 'FilteringGeneratorDelegate' does not handle 'writeString(Reader, int)'
- DataFormatMatcher#getMatchedFormatName throws NPE when no match exists
- 'JsonParser.getCurrentLocation()' byte/char offset update incorrectly for big payloads
jackson-databind - update from version 2.10.5.1 to version 2.13.0:
- '@JsonValue' with integer for enum does not deserialize correctly
- 'AnnotatedMethod.getValue()/setValue()' doesn't have useful exception message
- Add 'DatabindException' as intermediate subtype of 'JsonMappingException'
- Jackson does not support deserializing new Java 9 unmodifiable collections
- Allocate TokenBuffer instance via context objects (to allow format-specific buffer types)
- Add mechanism for setting default 'ContextAttributes' for 'ObjectMapper'
- Add 'DeserializationContext.readTreeAsValue()' methods for more convenient conversions for deserializers to use
- Clean up support of typed "unmodifiable", "singleton" Maps/Sets/Collections
- Extend internal bitfield of 'MapperFeature' to be 'long'
- Add 'removeMixIn()' method in 'MapperBuilder'
- Backport 'MapperBuilder' lambda-taking methods: 'withConfigOverride()', 'withCoercionConfig()', 'withCoercionConfigDefaults()'
- configOverrides(boolean.class) silently ignored, whereas .configOverride(Boolean.class) works for both primitives and boxed boolean values
- Dont track unknown props in buffer if 'ignoreAllUnknown' is true
- Should allow deserialization of java.time types via opaque 'JsonToken.VALUE_EMBEDDED_OBJECT'
- Optimize "AnnotatedConstructor.call()" case by passing explicit null
- Add AnnotationIntrospector.XmlExtensions interface for decoupling javax dependencies
- Custom SimpleModule not included in list returned by ObjectMapper.getRegisteredModuleIds() after registration
- Use more limiting default visibility settings for JDK types (java., javax.)
- Deep merge for 'JsonNode' using 'ObjectReader.readTree()'
- IllegalArgumentException: Conflicting setter definitions for property with more than 2 setters
- Serializing java.lang.Thread fails on JDK 11 and above
- String-based 'Map' key deserializer is not deterministic when there is no single arg constructor
- Add ArrayNode#set(int index, primitive_type value)
- JsonStreamContext "currentValue" wrongly references to '@JsonTypeInfo' annotated object
- DOM 'Node' serialization omits the default namespace declaration
- Support 'suppressed' property when deserializing 'Throwable'
- 'AnnotatedMember.equals()' does not work reliably
- Add 'MapperFeature.APPLY_DEFAULT_VALUES', initially for Scala module
- For an absent property Jackson injects 'NullNode' instead of 'null' to a JsonNode-typed constructor argument of a '@ConstructorProperties'-annotated constructor
- 'XMLGregorianCalendar' doesn't work with default typing
- Content 'null' handling not working for root values
- StdDeserializer rejects blank (all-whitespace) strings for ints
- 'USE_BASE_TYPE_AS_DEFAULT_IMPL' not working with 'DefaultTypeResolverBuilder'
- Add PropertyNamingStrategies.UpperSnakeCaseStrategy (and UPPER_SNAKE_CASE constant)
- StackOverflowError when serializing JsonProcessingException
- Support for BCP 47 'java.util.Locale' serialization/deserialization
- String property deserializes null as "null" for JsonTypeInfo.As.EXISTING_PROPERTY
- Can not deserialize json to enum value with Object-/Array-valued input, '@JsonCreator'
- Fix to avoid problem with 'BigDecimalNode', scale of 'Integer.MIN_VALUE'
- Extend handling of 'FAIL_ON_NULL_FOR_PRIMITIVES' to cover coercion from (Empty) String via 'AsNull'
- Add 'mvnw' wrapper
- (regression) Factory method generic type resolution does not use Class-bound type parameter
- Deserialization of "empty" subtype with DEDUCTION failed
- Merge findInjectableValues() results in AnnotationIntrospectorPair
- READ_UNKNOWN_ENUM_VALUES_USING_DEFAULT_VALUE doesn't work with empty strings
- 'TypeFactory' cannot convert 'Collection' sub-type
without type parameters to canonical form and back
- Fix for [modules-java8#207]: prevent fail on secondary Java 8 date/time types
- EXTERNAL_PROPERTY does not work well with '@JsonCreator' and 'FAIL_ON_UNKNOWN_PROPERTIES'
- String property deserializes null as "null" for 'JsonTypeInfo.As.EXTERNAL_PROPERTY'
- Property ignorals cause 'BeanDeserializer 'to forget how to read from arrays (not copying '_arrayDelegateDeserializer')
- UntypedObjectDeserializer' mixes multiple unwrapped collections (related to #2733)
- Two cases of incorrect error reporting about DeserializationFeature
- Bug in polymorphic deserialization with '@JsonCreator', '@JsonAnySetter', 'JsonTypeInfo.As.EXTERNAL_PROPERTY'
- Polymorphic subtype deduction ignores 'defaultImpl' attribute
- MismatchedInputException: Cannot deserialize instance of 'com.fasterxml.jackson.databind.node.ObjectNode' out of VALUE_NULL token
- Missing override for 'hasAsKey()' in 'AnnotationIntrospectorPair'
- Creator lookup fails with 'InvalidDefinitionException' for conflict between single-double/single-Double arg constructor
- 'MapDeserializer' forcing 'JsonMappingException' wrapping even if WRAP_EXCEPTIONS set to false
- Auto-detection of constructor-based creator method skipped if there is an annotated factory-based creator method (regression from 2.11)
- 'ObjectMapper.treeToValue()' no longer invokes 'JsonDeserializer.getNullValue()'
- DeserializationProblemHandler is not invoked when trying to deserialize String
- Fix failing 'double' JsonCreators in jackson 2.12.0
- Conflicting in POJOPropertiesCollector when having namingStrategy
- Breaking API change in 'BasicClassIntrospector' (2.12.0)
- 'JsonNode.requiredAt()' does NOT fail on some path expressions
- Exception thrown when 'Collections.synchronizedList()' is serialized with type info, deserialized
- Add option to resolve type from multiple existing properties, '@JsonTypeInfo(use=DEDUCTION)'
- '@JsonIgnoreProperties' does not prevent Exception Conflicting getter/setter definitions for property
- Deserialization Not Working Right with Generic Types and Builders
- Add '@JsonIncludeProperties(propertyNames)' (reverse of '@JsonIgnoreProperties')
- '@JsonAnyGetter' should be allowed on a field
- Allow handling of single-arg constructor as property based by default
- Allow case insensitive deserialization of String value into 'boolean'/'Boolean' (esp for Excel)
- Allow use of '@JsonFormat(with=JsonFormat.Feature .ACCEPT_CASE_INSENSITIVE_PROPERTIES)' on Class
- Abstract class included as part of known type ids for error message when using JsonSubTypes
- Distinguish null from empty string for UUID deserialization
- 'ReferenceType' does not expose valid containedType
- Add 'CoercionConfig[s]' mechanism for configuring allowed coercions
- 'JsonProperty.Access.READ_ONLY' does not work with "getter-as-setter" 'Collection's
- Support 'BigInteger' and 'BigDecimal' creators in 'StdValueInstantiator'
- 'JsonProperty.Access.READ_ONLY' fails with collections when a property name is specified
- 'BigDecimal' precision not retained for polymorphic deserialization
- Support use of 'Void' valued properties ('MapperFeature.ALLOW_VOID_VALUED_PROPERTIES')
- Explicitly fail (de)serialization of 'java.time.*' types in absence of registered custom (de)serializers
- Improve description included in by 'DeserializationContext.handleUnexpectedToken()'
- Support for JDK 14 record types ('java.lang.Record')
- 'PropertyNamingStrategy' class initialization depends on its subclass, this can lead to class loading deadlock
- 'FAIL_ON_IGNORED_PROPERTIES' does not throw on 'READONLY' properties with an explicit name
- Add Gradle Module Metadata for version alignment with Gradle 6
- Allow 'JsonNode' auto-convert into 'ArrayNode' if duplicates found (for XML)
- Allow values of "untyped" auto-convert into 'List' if duplicates found (for XML)
- Add 'ValueInstantiator.createContextual(...)
- Support multiple names in 'JsonSubType.Type'
- Disabling 'FAIL_ON_INVALID_SUBTYPE' breaks polymorphic deserialization of Enums
- Explicitly fail (de)serialization of 'org.joda.time.*' types in absence of registered custom (de)serializers
- Trailing zeros are stripped when deserializing BigDecimal values inside a @JsonUnwrapped property
- Extract getter/setter/field name mangling from 'BeanUtil' into pluggable 'AccessorNamingStrategy'
- Throw 'InvalidFormatException' instead of 'MismatchedInputException' for ACCEPT_FLOAT_AS_INT coercion failures
- Add '@JsonKey' annotation (similar to '@JsonValue') for customizable serialization of Map keys
- 'MapperFeature.ACCEPT_CASE_INSENSITIVE_ENUMS' should work for enum as keys
- Add support for disabling special handling of "Creator properties" wrt alphabetic property ordering
- Add 'JsonNode.canConvertToExactIntegral()' to indicate whether floating-point/BigDecimal values could be converted to integers losslessly
- Improve static factory method generic type resolution logic
- Allow preventing "Enum from integer" coercion using new 'CoercionConfig' system
- '@JsonValue' not considered when evaluating inclusion
- Make some java platform modules optional
- Add support for serializing 'java.sql.Blob'
- 'AnnotatedCreatorCollector' should avoid processing synthetic static (factory) methods
- Add errorprone static analysis profile to detect bugs at build time
- Problem with implicit creator name detection for constructor detection
- Add 'BeanDeserializerBase.isCaseInsensitive()'
- Refactoring of 'CollectionDeserializer' to solve CSV array handling issues
- Full "LICENSE" included in jar for easier access by compliancy tools
- Fix type resolution for static methods (regression in 2.11.3)
- '@JsonCreator' on constructor not compatible with '@JsonIdentityInfo', 'PropertyGenerator'
- Add debug improvements about 'ClassUtil.getClassMethods()'
- Cannot detect creator arguments of mixins for JDK types
- Add 'JsonFormat.Shape' awareness for UUID serialization ('UUIDSerializer')
- Json serialization fails or a specific case that contains generics and static methods with generic parameters (2.11.1 -> 2.11.2 regression)
- 'ObjectMapper.activateDefaultTypingAsProperty()' is not using parameter 'PolymorphicTypeValidator'
- Problem deserialization "raw generic" fields (like 'Map') in 2.11.2
- Fix issues with 'MapLikeType.isTrueMapType()', 'CollectionLikeType.isTrueCollectionType()'
- Parser/Generator features not set when using 'ObjectMapper.createParser()', 'createGenerator()'
- Polymorphic subtypes not registering on copied ObjectMapper (2.11.1)
- Failure to read AnnotatedField value in Jackson 2.11
- 'TypeFactory.constructType()' does not take 'TypeBindings' correctly
- Builder Deserialization with JsonCreator Value vs Array
- JsonCreator on static method in Enum and Enum used as key in map fails randomly
- 'StdSubtypeResolver' is not thread safe (possibly due to copy not being made with 'ObjectMapper.copy()')
- "Conflicting setter definitions for property" exception for 'Map' subtype during deserialization
- Fail to deserialize local Records
- Rearranging of props when property-based generator is in use leads to incorrect output
- Jackson doesn't respect 'CAN_OVERRIDE_ACCESS_MODIFIERS=false' for deserializer properties
- 'DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS' don't support 'Map' type field
- JsonParser from MismatchedInputException cannot getText() for floating-point value
- i-I case conversion problem in Turkish locale with case-insensitive deserialization
- '@JsonInject' fails on trying to find deserializer even if inject-only
- Polymorphic deserialization should handle case-insensitive Type Id property name if 'MapperFeature.ACCEPT_CASE_INSENSITIVE_PROPERTIES' is enabled
- TreeTraversingParser and UTF8StreamJsonParser create contexts differently
- Support use of '@JsonAlias' for enum values
- 'declaringClass' of "enum-as-POJO" not removed for 'ObjectMapper' with a naming strategy
- Fix 'JavaType.isEnumType()' to support sub-classes
- BeanDeserializerBuilder Protected Factory Method for Extension
- Support '@JsonSerialize(keyUsing)' and '@JsonDeserialize(keyUsing)' on Key class
- Add 'SerializationFeature.WRITE_SELF_REFERENCES_AS_NULL'
- 'ObjectMapper.registerSubtypes(NamedType...)' doesn't allow registering same POJO for two different type ids
- 'DeserializationContext.handleMissingInstantiator()' throws 'MismatchedInputException' for non-static inner classes
- Incorrect 'JsonStreamContext' for 'TokenBuffer' and 'TreeTraversingParser'
- Add 'AnnotationIntrospector.findRenameByField()' to support Kotlin's "is-getter" naming convention
- Use '@JsonProperty(index)' for sorting properties on serialization
- Java 8 'Optional' not working with '@JsonUnwrapped' on unwrappable type
- Add 'MapperFeature.BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES' to allow blocking use of unsafe base type for polymorphic deserialization
- 'ObjectMapper.setSerializationInclusion()' is ignored for 'JsonAnyGetter'
- 'ValueInstantiationException' when deserializing using a builder and 'UNWRAP_SINGLE_VALUE_ARRAYS'
- JsonIgnoreProperties(ignoreUnknown = true) does not work on field and method level
- Failure to resolve generic type parameters on serialization
- JsonParser cannot getText() for input stream on MismatchedInputException
- ObjectReader readValue lacks Class<T> argument
- Change default textual serialization of 'java.util.Date'/'Calendar' to include colon in timezone offset
- Add 'ObjectMapper.createParser()' and 'createGenerator()' methods
- Allow serialization of 'Properties' with non-String values
- Add new factory method for creating custom 'EnumValues' to pass to 'EnumDeserializer
- 'IllegalArgumentException' thrown for mismatched subclass deserialization
- Add convenience methods for creating 'List', 'Map' valued 'ObjectReader's (ObjectMapper.readerForListOf())
- 'SerializerProvider.findContentValueSerializer()' methods
jackson-dataformats-binary - update from version 2.10.1 to version 2.13.0:
- (cbor) Should validate UTF-8 multi-byte validity for short decode path too
- (ion) Deprecate 'CloseSafeUTF8Writer', remove use
- (smile) Make 'SmileFactory' support 'JsonFactory.Feature.CANONICALIZE_FIELD_NAMES'
- (cbor) Make 'CBORFactory' support 'JsonFactory.Feature.CANONICALIZE_FIELD_NAMES'
- (cbor) Handle case of BigDecimal with Integer.MIN_VALUE for scale gracefully
- (cbor) Uncaught exception in CBORParser._nextChunkedByte2 (by ossfuzzer)
- (cbor) Another uncaught exception in CBORParser._nextChunkedByte2 (by ossfuzzer)
- (smile) Add 'SmileGenerator.Feature.LENIENT_UTF_ENCODING' for lenient handling of broken Unicode surrogate pairs on writing
- (avro) Add 'logicalType' support for some 'java.time' types; add 'AvroJavaTimeModule' for native ser/deser
- Support base64 strings in 'getBinaryValue()' for CBOR and Smile
- (cbor) 'ArrayIndexOutOfBounds' for truncated UTF-8 name
- (avro) Generate logicalType switch
- (smile) 'ArrayIndexOutOfBounds' for truncated UTF-8 name
- (ion) 'jackson-dataformat-ion' does not handle null.struct deserialization correctly
- 'Ion-java' dep 1.4.0 -> 1.8.0
- Minor change to Ion module registration names (fully-qualified)
- (cbor) Uncaught exception in CBORParser._nextChunkedByte2 (by ossfuzzer)
- (cbor) Uncaught exception in CBORParser._findDecodedFromSymbols() (by ossfuzzer)
- (smile) Uncaught validation problem wrt Smile "BigDecimal" type
- (smile) ArrayIndexOutOfBoundsException for malformed Smile header
- (cbor) Failed to handle case of alleged String with length of Integer.MAX_VALUE
- (smile) Allocate byte[] lazily for longer Smile binary data payloads
- (cbor) CBORParser need to validate zero-length byte[] for BigInteger
- (smile) Handle invalid chunked-binary-format length gracefully
- (smile) Allocate byte[] lazily for longer Smile binary data payloads (7-bit encoded)
- (smile) ArrayIndexOutOfBoundsException in SmileParser._decodeShortUnicodeValue()
- (smile) Handle sequence of Smile header markers without recursion
- (cbor) CBOR loses 'Map' entries with specific 'long' Map key values (32-bit boundary)
- (ion) Ion Polymorphic deserialization in 2.12 breaks wrt use of Native Type Ids when upgrading from 2.8
- (cbor) 'ArrayIndexOutOfBoundsException' in 'CBORParser' for invalid UTF-8 String
- (cbor) Handle invalid CBOR content like '[0x84]' (incomplete array)
- (ion) Respect 'WRITE_ENUMS_USING_TO_STRING' in 'EnumAsIonSymbolSerializer'
- (ion) Add support for generating IonSexps
- (ion) Add support for deserializing IonTimestamps and IonBlobs
- (ion) Add 'IonObjectMapper.builderForBinaryWriters()' / '.builderforTextualWriters()' convenience methods
- (ion) Enabling pretty-printing fails Ion serialization
- (ion) Allow disabling native type ids in IonMapper
- (smile) Small bug in byte-alignment for long field names in Smile, symbol table reuse
- (ion) Add 'IonFactory.getIonSystem()' accessor
- (ion) Optimize 'IonParser.getNumberType()' using 'IonReader.getIntegerSize()'
- (cbor) Add 'CBORGenerator.Feature.LENIENT_UTF_ENCODING' for lenient handling of Unicode surrogate pairs on writing
- (cbor) Add support for decoding unassigned "simple values" (type 7)
- Add Gradle Module Metadata (https://blog.gradle.org/alignment-with-gradle-module-metadata)
- (avro) Cache record names to avoid hitting class loader
- (avro) Avro null deserialization
- (ion) Add 'IonFactory.getIonSystem()' accessor
- (avro) Add 'AvroGenerator.canWriteBinaryNatively()' to support binary writes, fix 'java.util.UUID' representation
- (ion) Allow 'IonObjectMapper' with class name annotation introspector to deserialize generic subtypes
- Remove dependencies upon Jackson 1.X and Avro's JacksonUtils
- 'jackson-databind' should not be full dependency for (cbor, protobuf, smile) modules
- 'CBORGenerator.Feature.WRITE_MINIMAL_INTS' does not write most compact form for all integers
- 'AvroGenerator' overrides 'getOutputContext()' properly
- (ion) Add 'IonFactory.getIonSystem()' accessor
- (avro) Fix schema evolution involving maps of non-scalar
- (protobuf) Parsing a protobuf message doesn't properly skip unknown fields
- (ion) IonObjectMapper close()s the provided IonWriter unnecessarily
- ion-java dependency 1.4.0 -> 1.5.1
Patch Instructions:
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
-
openSUSE Leap 15.4
zypper in -t patch openSUSE-SLE-15.4-2022-1678=1
-
Basesystem Module 15-SP3
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2022-1678=1
-
Basesystem Module 15-SP4
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2022-1678=1
-
Development Tools Module 15-SP3
zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2022-1678=1
-
Development Tools Module 15-SP4
zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP4-2022-1678=1
-
SUSE Linux Enterprise High Performance Computing 15 SP2 ESPOS 15-SP2
zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-ESPOS-2022-1678=1
-
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2
zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2022-1678=1
-
SUSE Linux Enterprise Real Time 15 SP2
zypper in -t patch SUSE-SLE-Product-RT-15-SP2-2022-1678=1
-
SUSE Linux Enterprise Server 15 SP2 Business Critical Linux 15-SP2
zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-BCL-2022-1678=1
-
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2
zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2022-1678=1
-
SUSE Linux Enterprise Server for SAP Applications 15 SP2
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2022-1678=1
-
SUSE Manager Proxy 4.1
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.1-2022-1678=1
-
SUSE Manager Retail Branch Server 4.1
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.1-2022-1678=1
-
SUSE Manager Server 4.1
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.1-2022-1678=1
-
SUSE Enterprise Storage 7
zypper in -t patch SUSE-Storage-7-2022-1678=1
Package List:
-
openSUSE Leap 15.4 (noarch)
- jackson-core-2.13.0-150200.3.6.1
- jackson-databind-2.13.0-150200.3.9.1
- jackson-dataformats-binary-2.13.0-150200.3.3.3
- jackson-core-javadoc-2.13.0-150200.3.6.1
- jackson-dataformats-binary-javadoc-2.13.0-150200.3.3.3
- jackson-databind-javadoc-2.13.0-150200.3.9.1
- jackson-dataformat-cbor-2.13.0-150200.3.3.3
- jackson-dataformat-smile-2.13.0-150200.3.3.3
- jackson-annotations-javadoc-2.13.0-150200.3.6.1
- jackson-annotations-2.13.0-150200.3.6.1
- jackson-bom-2.13.0-150200.3.3.1
-
Basesystem Module 15-SP3 (noarch)
- jackson-core-2.13.0-150200.3.6.1
- jackson-databind-2.13.0-150200.3.9.1
- jackson-core-javadoc-2.13.0-150200.3.6.1
- jackson-databind-javadoc-2.13.0-150200.3.9.1
- jackson-annotations-javadoc-2.13.0-150200.3.6.1
- jackson-annotations-2.13.0-150200.3.6.1
-
Basesystem Module 15-SP4 (noarch)
- jackson-core-2.13.0-150200.3.6.1
- jackson-databind-2.13.0-150200.3.9.1
- jackson-annotations-2.13.0-150200.3.6.1
-
Development Tools Module 15-SP3 (noarch)
- jackson-core-2.13.0-150200.3.6.1
- jackson-dataformat-cbor-2.13.0-150200.3.3.3
- jackson-databind-2.13.0-150200.3.9.1
- jackson-annotations-2.13.0-150200.3.6.1
-
Development Tools Module 15-SP4 (noarch)
- jackson-dataformat-cbor-2.13.0-150200.3.3.3
-
SUSE Linux Enterprise High Performance Computing 15 SP2 ESPOS 15-SP2 (noarch)
- jackson-core-2.13.0-150200.3.6.1
- jackson-dataformat-cbor-2.13.0-150200.3.3.3
- jackson-databind-2.13.0-150200.3.9.1
- jackson-annotations-2.13.0-150200.3.6.1
-
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (noarch)
- jackson-core-2.13.0-150200.3.6.1
- jackson-dataformat-cbor-2.13.0-150200.3.3.3
- jackson-databind-2.13.0-150200.3.9.1
- jackson-annotations-2.13.0-150200.3.6.1
-
SUSE Linux Enterprise Real Time 15 SP2 (noarch)
- jackson-core-2.13.0-150200.3.6.1
- jackson-dataformat-cbor-2.13.0-150200.3.3.3
- jackson-databind-2.13.0-150200.3.9.1
- jackson-annotations-2.13.0-150200.3.6.1
-
SUSE Linux Enterprise Server 15 SP2 Business Critical Linux 15-SP2 (noarch)
- jackson-core-2.13.0-150200.3.6.1
- jackson-dataformat-cbor-2.13.0-150200.3.3.3
- jackson-databind-2.13.0-150200.3.9.1
- jackson-annotations-2.13.0-150200.3.6.1
-
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (noarch)
- jackson-core-2.13.0-150200.3.6.1
- jackson-dataformat-cbor-2.13.0-150200.3.3.3
- jackson-databind-2.13.0-150200.3.9.1
- jackson-annotations-2.13.0-150200.3.6.1
-
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (noarch)
- jackson-core-2.13.0-150200.3.6.1
- jackson-dataformat-cbor-2.13.0-150200.3.3.3
- jackson-databind-2.13.0-150200.3.9.1
- jackson-annotations-2.13.0-150200.3.6.1
-
SUSE Manager Proxy 4.1 (noarch)
- jackson-core-2.13.0-150200.3.6.1
- jackson-dataformat-cbor-2.13.0-150200.3.3.3
- jackson-databind-2.13.0-150200.3.9.1
- jackson-annotations-2.13.0-150200.3.6.1
-
SUSE Manager Retail Branch Server 4.1 (noarch)
- jackson-core-2.13.0-150200.3.6.1
- jackson-dataformat-cbor-2.13.0-150200.3.3.3
- jackson-databind-2.13.0-150200.3.9.1
- jackson-annotations-2.13.0-150200.3.6.1
-
SUSE Manager Server 4.1 (noarch)
- jackson-core-2.13.0-150200.3.6.1
- jackson-dataformat-cbor-2.13.0-150200.3.3.3
- jackson-databind-2.13.0-150200.3.9.1
- jackson-annotations-2.13.0-150200.3.6.1
-
SUSE Enterprise Storage 7 (noarch)
- jackson-core-2.13.0-150200.3.6.1
- jackson-dataformat-cbor-2.13.0-150200.3.3.3
- jackson-databind-2.13.0-150200.3.9.1
- jackson-annotations-2.13.0-150200.3.6.1
References:
- https://www.suse.com/security/cve/CVE-2020-25649.html
- https://www.suse.com/security/cve/CVE-2020-28491.html
- https://www.suse.com/security/cve/CVE-2020-36518.html
- https://bugzilla.suse.com/show_bug.cgi?id=1177616
- https://bugzilla.suse.com/show_bug.cgi?id=1182481
- https://bugzilla.suse.com/show_bug.cgi?id=1197132