Security update for jackson-databind, jackson-dataformats-binary, jackson-annotations, jackson-bom, jackson-core

Announcement ID: SUSE-SU-2022:1678-1
Rating: important
References:
Cross-References:
CVSS scores:
  • CVE-2020-25649 ( SUSE ): 5.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
  • CVE-2020-25649 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
  • CVE-2020-28491 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2020-28491 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2020-36518 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • CVE-2020-36518 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:
  • Basesystem Module 15-SP3
  • Basesystem Module 15-SP4
  • Development Tools Module 15-SP3
  • Development Tools Module 15-SP4
  • openSUSE Leap 15.4
  • SUSE Enterprise Storage 7
  • SUSE Linux Enterprise Desktop 15 SP3
  • SUSE Linux Enterprise Desktop 15 SP4
  • SUSE Linux Enterprise High Performance Computing 15 SP2
  • SUSE Linux Enterprise High Performance Computing 15 SP2 ESPOS 15-SP2
  • SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2
  • SUSE Linux Enterprise High Performance Computing 15 SP3
  • SUSE Linux Enterprise High Performance Computing 15 SP4
  • SUSE Linux Enterprise Real Time 15 SP2
  • SUSE Linux Enterprise Real Time 15 SP3
  • SUSE Linux Enterprise Real Time 15 SP4
  • SUSE Linux Enterprise Server 15 SP2
  • SUSE Linux Enterprise Server 15 SP2 Business Critical Linux 15-SP2
  • SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2
  • SUSE Linux Enterprise Server 15 SP3
  • SUSE Linux Enterprise Server 15 SP3 Business Critical Linux 15-SP3
  • SUSE Linux Enterprise Server 15 SP4
  • SUSE Linux Enterprise Server for SAP Applications 15 SP2
  • SUSE Linux Enterprise Server for SAP Applications 15 SP3
  • SUSE Linux Enterprise Server for SAP Applications 15 SP4
  • SUSE Manager Proxy 4.1
  • SUSE Manager Proxy 4.2
  • SUSE Manager Proxy 4.3
  • SUSE Manager Retail Branch Server 4.1
  • SUSE Manager Retail Branch Server 4.2
  • SUSE Manager Retail Branch Server 4.3
  • SUSE Manager Server 4.1
  • SUSE Manager Server 4.2
  • SUSE Manager Server 4.3

An update that solves three vulnerabilities can now be installed.

Description:

This update for jackson-databind, jackson-dataformats-binary, jackson-annotations, jackson-bom, jackson-core fixes the following issues:

Security issues fixed:

  • CVE-2020-36518: Fixed a Java stack overflow exception and denial of service via a large depth of nested objects in jackson-databind. (bsc#1197132)
  • CVE-2020-25649: Fixed an insecure entity expansion in jackson-databind which was vulnerable to XML external entity (XXE). (bsc#1177616)
  • CVE-2020-28491: Fixed a bug which could cause java.lang.OutOfMemoryError exception in jackson-dataformats-binary. (bsc#1182481)

Non security fixes:

jackson-annotations - update from version 2.10.2 to version 2.13.0:

  • Build with source/target levels 8
  • Add 'mvnw' wrapper
  • 'JsonSubType.Type' should accept array of names
  • Jackson version alignment with Gradle 6
  • Add '@JsonIncludeProperties'
  • Add '@JsonTypeInfo(use=DEDUCTION)'
  • Ability to use '@JsonAnyGetter' on fields
  • Add '@JsonKey' annotation
  • Allow repeated calls to 'SimpleObjectIdResolver.bindItem()' for same mapping
  • Add 'namespace' property for '@JsonProperty' (for XML module)
  • Add target 'ElementType.ANNOTATION_TYPE' for '@JsonEnumDefaultValue'
  • 'JsonPattern.Value.pattern' retained as "", never (accidentally) exposed as 'null'
  • Rewrite to use ant for building in order to be able to use it in packages that have to be built before maven

jackson-bom - update from version 2.10.2 to version 2.13.0:

  • Configure moditect plugin with '<jvmVersion>11</jvmVersion>'
  • jackson-bom manages the version of 'junit:junit'
  • Drop 'jackson-datatype-hibernate3' (support for Hibernate 3.x datatypes)
  • Removed "jakarta" classifier variants of JAXB/JSON-P/JAX-RS modules due to the addition of new Jakarta artifacts (Jakarta-JSONP, Jakarta-xmlbind-annotations, Jakarta-rs-providers)
  • Add version for 'jackson-datatype-jakarta-jsonp' module (introduced after 2.12.2)
  • Add (beta) version for 'jackson-dataformat-toml'
  • Jakarta 9 artifact versions are missing from jackson-bom
  • Add default settings for 'gradle-module-metadata-maven-plugin' (gradle metadata)
  • Add default settings for 'build-helper-maven-plugin'
  • Drop 'jackson-module-scala_2.10' entry (not released for Jackson 2.12 or later)
  • Add override for 'version.plugin.bundle' (for 5.1.1) to help build on JDK 15+
  • Add missing version for jackson-datatype-eclipse-collections

jackson-core - update from version 2.10.2 to version 2.13.0:

  • Build with source and target levels 8
  • Misleading exception for input source when processing byte buffer with start offset
  • Escape contents of source document snippet for 'JsonLocation._appendSourceDesc()'
  • Add 'StreamWriteException' type to eventually replace 'JsonGenerationException'
  • Replace 'getCurrentLocation()'/'getTokenLocation()' with 'currentLocation()'/'currentTokenLocation()' in 'JsonParser'
  • Replace 'JsonGenerator.writeObject()' (and related) with 'writePOJO()'
  • Replace 'getCurrentValue()'/'setCurrentValue()' with 'currentValue()'/'assignCurrentValue()' in 'JsonParser'/'JsonGenerator
  • Introduce O(n^1.5) BigDecimal parser implementation
  • ByteQuadsCanonicalizer.addName(String, int, int) has incorrect handling for case of q2 == null
  • UTF32Reader ArrayIndexOutOfBoundsException
  • Improve exception/JsonLocation handling for binary content: don't show content, include byte offset
  • Fix an issue with the TokenFilter unable to ignore properties when deserializing.
  • Optimize array allocation by 'JsonStringEncoder'
  • Add 'mvnw' wrapper
  • (partial) Optimize array allocation by 'JsonStringEncoder'
  • Add back accidentally removed 'JsonStringEncoder' related methods in 'BufferRecyclers' (like 'getJsonStringEncoder()')
  • 'ArrayOutOfBoundException' at 'WriterBasedJsonGenerator.writeString(Reader, int)'
  • Allow "optional-padding" for 'Base64Variant'
  • More customizable TokenFilter inclusion (using 'Tokenfilter.Inclusion')
  • Publish Gradle Module Metadata
  • Add 'StreamReadCapability' for further format-based/format-agnostic handling improvements
  • Add 'JsonParser.isExpectedNumberIntToken()' convenience method
  • Add 'StreamWriteCapability' for further format-based/format-agnostic handling improvements
  • Add 'JsonParser.getNumberValueExact()' to allow precision-retaining buffering
  • Limit initial allocated block size by 'ByteArrayBuilder' to max block size
  • Add 'JacksonException' as parent class of 'JsonProcessingException'
  • Make 'JsonWriteContext.reset()' and 'JsonReadContext.reset()' methods public
  • Deprecate 'JsonParser.getCurrentTokenId()' (use '#currentTokenId()' instead)
  • Full "LICENSE" included in jar for easier access by compliancy tools
  • Fix NPE in 'writeNumber(String)' method of 'UTF8JsonGenerator', 'WriterBasedJsonGenerator'
  • Add a String Array write method in the Streaming API
  • Synchronize variants of 'JsonGenerator#writeNumberField' with 'JsonGenerator#writeNumber'
  • Add JsonGenerator#writeNumber(char[], int, int) method
  • Do not clear aggregated contents of 'TextBuffer' when 'releaseBuffers()' called
  • 'FilteringGeneratorDelegate' does not handle 'writeString(Reader, int)'
  • Optionally allow leading decimal in float tokens
  • Rewrite to use ant for building in order to be able to use it in packages that have to be built before maven
  • Parsing JSON with 'ALLOW_MISSING_VALUE' enabled results in endless stream of 'VALUE_NULL' tokens
  • Handle case when system property access is restricted
  • 'FilteringGeneratorDelegate' does not handle 'writeString(Reader, int)'
  • DataFormatMatcher#getMatchedFormatName throws NPE when no match exists
  • 'JsonParser.getCurrentLocation()' byte/char offset update incorrectly for big payloads

jackson-databind - update from version 2.10.5.1 to version 2.13.0:

  • '@JsonValue' with integer for enum does not deserialize correctly
  • 'AnnotatedMethod.getValue()/setValue()' doesn't have useful exception message
  • Add 'DatabindException' as intermediate subtype of 'JsonMappingException'
  • Jackson does not support deserializing new Java 9 unmodifiable collections
  • Allocate TokenBuffer instance via context objects (to allow format-specific buffer types)
  • Add mechanism for setting default 'ContextAttributes' for 'ObjectMapper'
  • Add 'DeserializationContext.readTreeAsValue()' methods for more convenient conversions for deserializers to use
  • Clean up support of typed "unmodifiable", "singleton" Maps/Sets/Collections
  • Extend internal bitfield of 'MapperFeature' to be 'long'
  • Add 'removeMixIn()' method in 'MapperBuilder'
  • Backport 'MapperBuilder' lambda-taking methods: 'withConfigOverride()', 'withCoercionConfig()', 'withCoercionConfigDefaults()'
  • configOverrides(boolean.class) silently ignored, whereas .configOverride(Boolean.class) works for both primitives and boxed boolean values
  • Dont track unknown props in buffer if 'ignoreAllUnknown' is true
  • Should allow deserialization of java.time types via opaque 'JsonToken.VALUE_EMBEDDED_OBJECT'
  • Optimize "AnnotatedConstructor.call()" case by passing explicit null
  • Add AnnotationIntrospector.XmlExtensions interface for decoupling javax dependencies
  • Custom SimpleModule not included in list returned by ObjectMapper.getRegisteredModuleIds() after registration
  • Use more limiting default visibility settings for JDK types (java., javax.)
  • Deep merge for 'JsonNode' using 'ObjectReader.readTree()'
  • IllegalArgumentException: Conflicting setter definitions for property with more than 2 setters
  • Serializing java.lang.Thread fails on JDK 11 and above
  • String-based 'Map' key deserializer is not deterministic when there is no single arg constructor
  • Add ArrayNode#set(int index, primitive_type value)
  • JsonStreamContext "currentValue" wrongly references to '@JsonTypeInfo' annotated object
  • DOM 'Node' serialization omits the default namespace declaration
  • Support 'suppressed' property when deserializing 'Throwable'
  • 'AnnotatedMember.equals()' does not work reliably
  • Add 'MapperFeature.APPLY_DEFAULT_VALUES', initially for Scala module
  • For an absent property Jackson injects 'NullNode' instead of 'null' to a JsonNode-typed constructor argument of a '@ConstructorProperties'-annotated constructor
  • 'XMLGregorianCalendar' doesn't work with default typing
  • Content 'null' handling not working for root values
  • StdDeserializer rejects blank (all-whitespace) strings for ints
  • 'USE_BASE_TYPE_AS_DEFAULT_IMPL' not working with 'DefaultTypeResolverBuilder'
  • Add PropertyNamingStrategies.UpperSnakeCaseStrategy (and UPPER_SNAKE_CASE constant)
  • StackOverflowError when serializing JsonProcessingException
  • Support for BCP 47 'java.util.Locale' serialization/deserialization
  • String property deserializes null as "null" for JsonTypeInfo.As.EXISTING_PROPERTY
  • Can not deserialize json to enum value with Object-/Array-valued input, '@JsonCreator'
  • Fix to avoid problem with 'BigDecimalNode', scale of 'Integer.MIN_VALUE'
  • Extend handling of 'FAIL_ON_NULL_FOR_PRIMITIVES' to cover coercion from (Empty) String via 'AsNull'
  • Add 'mvnw' wrapper
  • (regression) Factory method generic type resolution does not use Class-bound type parameter
  • Deserialization of "empty" subtype with DEDUCTION failed
  • Merge findInjectableValues() results in AnnotationIntrospectorPair
  • READ_UNKNOWN_ENUM_VALUES_USING_DEFAULT_VALUE doesn't work with empty strings
  • 'TypeFactory' cannot convert 'Collection' sub-type without type parameters to canonical form and back
    • Fix for [modules-java8#207]: prevent fail on secondary Java 8 date/time types
  • EXTERNAL_PROPERTY does not work well with '@JsonCreator' and 'FAIL_ON_UNKNOWN_PROPERTIES'
  • String property deserializes null as "null" for 'JsonTypeInfo.As.EXTERNAL_PROPERTY'
  • Property ignorals cause 'BeanDeserializer 'to forget how to read from arrays (not copying '_arrayDelegateDeserializer')
  • UntypedObjectDeserializer' mixes multiple unwrapped collections (related to #2733)
  • Two cases of incorrect error reporting about DeserializationFeature
  • Bug in polymorphic deserialization with '@JsonCreator', '@JsonAnySetter', 'JsonTypeInfo.As.EXTERNAL_PROPERTY'
  • Polymorphic subtype deduction ignores 'defaultImpl' attribute
  • MismatchedInputException: Cannot deserialize instance of 'com.fasterxml.jackson.databind.node.ObjectNode' out of VALUE_NULL token
  • Missing override for 'hasAsKey()' in 'AnnotationIntrospectorPair'
  • Creator lookup fails with 'InvalidDefinitionException' for conflict between single-double/single-Double arg constructor
  • 'MapDeserializer' forcing 'JsonMappingException' wrapping even if WRAP_EXCEPTIONS set to false
  • Auto-detection of constructor-based creator method skipped if there is an annotated factory-based creator method (regression from 2.11)
  • 'ObjectMapper.treeToValue()' no longer invokes 'JsonDeserializer.getNullValue()'
  • DeserializationProblemHandler is not invoked when trying to deserialize String
  • Fix failing 'double' JsonCreators in jackson 2.12.0
  • Conflicting in POJOPropertiesCollector when having namingStrategy
  • Breaking API change in 'BasicClassIntrospector' (2.12.0)
  • 'JsonNode.requiredAt()' does NOT fail on some path expressions
  • Exception thrown when 'Collections.synchronizedList()' is serialized with type info, deserialized
  • Add option to resolve type from multiple existing properties, '@JsonTypeInfo(use=DEDUCTION)'
  • '@JsonIgnoreProperties' does not prevent Exception Conflicting getter/setter definitions for property
  • Deserialization Not Working Right with Generic Types and Builders
  • Add '@JsonIncludeProperties(propertyNames)' (reverse of '@JsonIgnoreProperties')
  • '@JsonAnyGetter' should be allowed on a field
  • Allow handling of single-arg constructor as property based by default
  • Allow case insensitive deserialization of String value into 'boolean'/'Boolean' (esp for Excel)
  • Allow use of '@JsonFormat(with=JsonFormat.Feature .ACCEPT_CASE_INSENSITIVE_PROPERTIES)' on Class
  • Abstract class included as part of known type ids for error message when using JsonSubTypes
  • Distinguish null from empty string for UUID deserialization
  • 'ReferenceType' does not expose valid containedType
  • Add 'CoercionConfig[s]' mechanism for configuring allowed coercions
  • 'JsonProperty.Access.READ_ONLY' does not work with "getter-as-setter" 'Collection's
  • Support 'BigInteger' and 'BigDecimal' creators in 'StdValueInstantiator'
  • 'JsonProperty.Access.READ_ONLY' fails with collections when a property name is specified
  • 'BigDecimal' precision not retained for polymorphic deserialization
  • Support use of 'Void' valued properties ('MapperFeature.ALLOW_VOID_VALUED_PROPERTIES')
  • Explicitly fail (de)serialization of 'java.time.*' types in absence of registered custom (de)serializers
  • Improve description included in by 'DeserializationContext.handleUnexpectedToken()'
  • Support for JDK 14 record types ('java.lang.Record')
  • 'PropertyNamingStrategy' class initialization depends on its subclass, this can lead to class loading deadlock
  • 'FAIL_ON_IGNORED_PROPERTIES' does not throw on 'READONLY' properties with an explicit name
  • Add Gradle Module Metadata for version alignment with Gradle 6
  • Allow 'JsonNode' auto-convert into 'ArrayNode' if duplicates found (for XML)
  • Allow values of "untyped" auto-convert into 'List' if duplicates found (for XML)
  • Add 'ValueInstantiator.createContextual(...)
  • Support multiple names in 'JsonSubType.Type'
  • Disabling 'FAIL_ON_INVALID_SUBTYPE' breaks polymorphic deserialization of Enums
  • Explicitly fail (de)serialization of 'org.joda.time.*' types in absence of registered custom (de)serializers
  • Trailing zeros are stripped when deserializing BigDecimal values inside a @JsonUnwrapped property
  • Extract getter/setter/field name mangling from 'BeanUtil' into pluggable 'AccessorNamingStrategy'
  • Throw 'InvalidFormatException' instead of 'MismatchedInputException' for ACCEPT_FLOAT_AS_INT coercion failures
  • Add '@JsonKey' annotation (similar to '@JsonValue') for customizable serialization of Map keys
  • 'MapperFeature.ACCEPT_CASE_INSENSITIVE_ENUMS' should work for enum as keys
  • Add support for disabling special handling of "Creator properties" wrt alphabetic property ordering
  • Add 'JsonNode.canConvertToExactIntegral()' to indicate whether floating-point/BigDecimal values could be converted to integers losslessly
  • Improve static factory method generic type resolution logic
  • Allow preventing "Enum from integer" coercion using new 'CoercionConfig' system
  • '@JsonValue' not considered when evaluating inclusion
  • Make some java platform modules optional
  • Add support for serializing 'java.sql.Blob'
  • 'AnnotatedCreatorCollector' should avoid processing synthetic static (factory) methods
  • Add errorprone static analysis profile to detect bugs at build time
  • Problem with implicit creator name detection for constructor detection
  • Add 'BeanDeserializerBase.isCaseInsensitive()'
  • Refactoring of 'CollectionDeserializer' to solve CSV array handling issues
  • Full "LICENSE" included in jar for easier access by compliancy tools
  • Fix type resolution for static methods (regression in 2.11.3)
  • '@JsonCreator' on constructor not compatible with '@JsonIdentityInfo', 'PropertyGenerator'
  • Add debug improvements about 'ClassUtil.getClassMethods()'
  • Cannot detect creator arguments of mixins for JDK types
  • Add 'JsonFormat.Shape' awareness for UUID serialization ('UUIDSerializer')
  • Json serialization fails or a specific case that contains generics and static methods with generic parameters (2.11.1 -> 2.11.2 regression)
  • 'ObjectMapper.activateDefaultTypingAsProperty()' is not using parameter 'PolymorphicTypeValidator'
  • Problem deserialization "raw generic" fields (like 'Map') in 2.11.2
  • Fix issues with 'MapLikeType.isTrueMapType()', 'CollectionLikeType.isTrueCollectionType()'
  • Parser/Generator features not set when using 'ObjectMapper.createParser()', 'createGenerator()'
  • Polymorphic subtypes not registering on copied ObjectMapper (2.11.1)
  • Failure to read AnnotatedField value in Jackson 2.11
  • 'TypeFactory.constructType()' does not take 'TypeBindings' correctly
  • Builder Deserialization with JsonCreator Value vs Array
  • JsonCreator on static method in Enum and Enum used as key in map fails randomly
  • 'StdSubtypeResolver' is not thread safe (possibly due to copy not being made with 'ObjectMapper.copy()')
  • "Conflicting setter definitions for property" exception for 'Map' subtype during deserialization
  • Fail to deserialize local Records
  • Rearranging of props when property-based generator is in use leads to incorrect output
  • Jackson doesn't respect 'CAN_OVERRIDE_ACCESS_MODIFIERS=false' for deserializer properties
  • 'DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS' don't support 'Map' type field
  • JsonParser from MismatchedInputException cannot getText() for floating-point value
  • i-I case conversion problem in Turkish locale with case-insensitive deserialization
  • '@JsonInject' fails on trying to find deserializer even if inject-only
  • Polymorphic deserialization should handle case-insensitive Type Id property name if 'MapperFeature.ACCEPT_CASE_INSENSITIVE_PROPERTIES' is enabled
  • TreeTraversingParser and UTF8StreamJsonParser create contexts differently
  • Support use of '@JsonAlias' for enum values
  • 'declaringClass' of "enum-as-POJO" not removed for 'ObjectMapper' with a naming strategy
  • Fix 'JavaType.isEnumType()' to support sub-classes
  • BeanDeserializerBuilder Protected Factory Method for Extension
  • Support '@JsonSerialize(keyUsing)' and '@JsonDeserialize(keyUsing)' on Key class
  • Add 'SerializationFeature.WRITE_SELF_REFERENCES_AS_NULL'
  • 'ObjectMapper.registerSubtypes(NamedType...)' doesn't allow registering same POJO for two different type ids
  • 'DeserializationContext.handleMissingInstantiator()' throws 'MismatchedInputException' for non-static inner classes
  • Incorrect 'JsonStreamContext' for 'TokenBuffer' and 'TreeTraversingParser'
  • Add 'AnnotationIntrospector.findRenameByField()' to support Kotlin's "is-getter" naming convention
  • Use '@JsonProperty(index)' for sorting properties on serialization
  • Java 8 'Optional' not working with '@JsonUnwrapped' on unwrappable type
  • Add 'MapperFeature.BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES' to allow blocking use of unsafe base type for polymorphic deserialization
  • 'ObjectMapper.setSerializationInclusion()' is ignored for 'JsonAnyGetter'
  • 'ValueInstantiationException' when deserializing using a builder and 'UNWRAP_SINGLE_VALUE_ARRAYS'
  • JsonIgnoreProperties(ignoreUnknown = true) does not work on field and method level
  • Failure to resolve generic type parameters on serialization
  • JsonParser cannot getText() for input stream on MismatchedInputException
  • ObjectReader readValue lacks Class<T> argument
  • Change default textual serialization of 'java.util.Date'/'Calendar' to include colon in timezone offset
  • Add 'ObjectMapper.createParser()' and 'createGenerator()' methods
  • Allow serialization of 'Properties' with non-String values
  • Add new factory method for creating custom 'EnumValues' to pass to 'EnumDeserializer
  • 'IllegalArgumentException' thrown for mismatched subclass deserialization
  • Add convenience methods for creating 'List', 'Map' valued 'ObjectReader's (ObjectMapper.readerForListOf())
  • 'SerializerProvider.findContentValueSerializer()' methods

jackson-dataformats-binary - update from version 2.10.1 to version 2.13.0:

  • (cbor) Should validate UTF-8 multi-byte validity for short decode path too
  • (ion) Deprecate 'CloseSafeUTF8Writer', remove use
  • (smile) Make 'SmileFactory' support 'JsonFactory.Feature.CANONICALIZE_FIELD_NAMES'
  • (cbor) Make 'CBORFactory' support 'JsonFactory.Feature.CANONICALIZE_FIELD_NAMES'
  • (cbor) Handle case of BigDecimal with Integer.MIN_VALUE for scale gracefully
  • (cbor) Uncaught exception in CBORParser._nextChunkedByte2 (by ossfuzzer)
  • (cbor) Another uncaught exception in CBORParser._nextChunkedByte2 (by ossfuzzer)
  • (smile) Add 'SmileGenerator.Feature.LENIENT_UTF_ENCODING' for lenient handling of broken Unicode surrogate pairs on writing
  • (avro) Add 'logicalType' support for some 'java.time' types; add 'AvroJavaTimeModule' for native ser/deser
  • Support base64 strings in 'getBinaryValue()' for CBOR and Smile
  • (cbor) 'ArrayIndexOutOfBounds' for truncated UTF-8 name
  • (avro) Generate logicalType switch
  • (smile) 'ArrayIndexOutOfBounds' for truncated UTF-8 name
  • (ion) 'jackson-dataformat-ion' does not handle null.struct deserialization correctly
  • 'Ion-java' dep 1.4.0 -> 1.8.0
  • Minor change to Ion module registration names (fully-qualified)
  • (cbor) Uncaught exception in CBORParser._nextChunkedByte2 (by ossfuzzer)
  • (cbor) Uncaught exception in CBORParser._findDecodedFromSymbols() (by ossfuzzer)
  • (smile) Uncaught validation problem wrt Smile "BigDecimal" type
  • (smile) ArrayIndexOutOfBoundsException for malformed Smile header
  • (cbor) Failed to handle case of alleged String with length of Integer.MAX_VALUE
  • (smile) Allocate byte[] lazily for longer Smile binary data payloads
  • (cbor) CBORParser need to validate zero-length byte[] for BigInteger
  • (smile) Handle invalid chunked-binary-format length gracefully
  • (smile) Allocate byte[] lazily for longer Smile binary data payloads (7-bit encoded)
  • (smile) ArrayIndexOutOfBoundsException in SmileParser._decodeShortUnicodeValue()
  • (smile) Handle sequence of Smile header markers without recursion
  • (cbor) CBOR loses 'Map' entries with specific 'long' Map key values (32-bit boundary)
  • (ion) Ion Polymorphic deserialization in 2.12 breaks wrt use of Native Type Ids when upgrading from 2.8
  • (cbor) 'ArrayIndexOutOfBoundsException' in 'CBORParser' for invalid UTF-8 String
  • (cbor) Handle invalid CBOR content like '[0x84]' (incomplete array)
  • (ion) Respect 'WRITE_ENUMS_USING_TO_STRING' in 'EnumAsIonSymbolSerializer'
  • (ion) Add support for generating IonSexps
  • (ion) Add support for deserializing IonTimestamps and IonBlobs
  • (ion) Add 'IonObjectMapper.builderForBinaryWriters()' / '.builderforTextualWriters()' convenience methods
  • (ion) Enabling pretty-printing fails Ion serialization
  • (ion) Allow disabling native type ids in IonMapper
  • (smile) Small bug in byte-alignment for long field names in Smile, symbol table reuse
  • (ion) Add 'IonFactory.getIonSystem()' accessor
  • (ion) Optimize 'IonParser.getNumberType()' using 'IonReader.getIntegerSize()'
  • (cbor) Add 'CBORGenerator.Feature.LENIENT_UTF_ENCODING' for lenient handling of Unicode surrogate pairs on writing
  • (cbor) Add support for decoding unassigned "simple values" (type 7)
  • Add Gradle Module Metadata (https://blog.gradle.org/alignment-with-gradle-module-metadata)
  • (avro) Cache record names to avoid hitting class loader
  • (avro) Avro null deserialization
  • (ion) Add 'IonFactory.getIonSystem()' accessor
  • (avro) Add 'AvroGenerator.canWriteBinaryNatively()' to support binary writes, fix 'java.util.UUID' representation
  • (ion) Allow 'IonObjectMapper' with class name annotation introspector to deserialize generic subtypes
  • Remove dependencies upon Jackson 1.X and Avro's JacksonUtils
  • 'jackson-databind' should not be full dependency for (cbor, protobuf, smile) modules
  • 'CBORGenerator.Feature.WRITE_MINIMAL_INTS' does not write most compact form for all integers
  • 'AvroGenerator' overrides 'getOutputContext()' properly
  • (ion) Add 'IonFactory.getIonSystem()' accessor
  • (avro) Fix schema evolution involving maps of non-scalar
  • (protobuf) Parsing a protobuf message doesn't properly skip unknown fields
  • (ion) IonObjectMapper close()s the provided IonWriter unnecessarily
  • ion-java dependency 1.4.0 -> 1.5.1

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  • openSUSE Leap 15.4
    zypper in -t patch openSUSE-SLE-15.4-2022-1678=1
  • Basesystem Module 15-SP3
    zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2022-1678=1
  • Basesystem Module 15-SP4
    zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2022-1678=1
  • Development Tools Module 15-SP3
    zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2022-1678=1
  • Development Tools Module 15-SP4
    zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP4-2022-1678=1
  • SUSE Linux Enterprise High Performance Computing 15 SP2 ESPOS 15-SP2
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-ESPOS-2022-1678=1
  • SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2022-1678=1
  • SUSE Linux Enterprise Real Time 15 SP2
    zypper in -t patch SUSE-SLE-Product-RT-15-SP2-2022-1678=1
  • SUSE Linux Enterprise Server 15 SP2 Business Critical Linux 15-SP2
    zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-BCL-2022-1678=1
  • SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2
    zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2022-1678=1
  • SUSE Linux Enterprise Server for SAP Applications 15 SP2
    zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2022-1678=1
  • SUSE Manager Proxy 4.1
    zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.1-2022-1678=1
  • SUSE Manager Retail Branch Server 4.1
    zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.1-2022-1678=1
  • SUSE Manager Server 4.1
    zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.1-2022-1678=1
  • SUSE Enterprise Storage 7
    zypper in -t patch SUSE-Storage-7-2022-1678=1

Package List:

  • openSUSE Leap 15.4 (noarch)
    • jackson-core-2.13.0-150200.3.6.1
    • jackson-databind-2.13.0-150200.3.9.1
    • jackson-dataformats-binary-2.13.0-150200.3.3.3
    • jackson-core-javadoc-2.13.0-150200.3.6.1
    • jackson-dataformats-binary-javadoc-2.13.0-150200.3.3.3
    • jackson-databind-javadoc-2.13.0-150200.3.9.1
    • jackson-dataformat-cbor-2.13.0-150200.3.3.3
    • jackson-dataformat-smile-2.13.0-150200.3.3.3
    • jackson-annotations-javadoc-2.13.0-150200.3.6.1
    • jackson-annotations-2.13.0-150200.3.6.1
    • jackson-bom-2.13.0-150200.3.3.1
  • Basesystem Module 15-SP3 (noarch)
    • jackson-core-2.13.0-150200.3.6.1
    • jackson-databind-2.13.0-150200.3.9.1
    • jackson-core-javadoc-2.13.0-150200.3.6.1
    • jackson-databind-javadoc-2.13.0-150200.3.9.1
    • jackson-annotations-javadoc-2.13.0-150200.3.6.1
    • jackson-annotations-2.13.0-150200.3.6.1
  • Basesystem Module 15-SP4 (noarch)
    • jackson-core-2.13.0-150200.3.6.1
    • jackson-databind-2.13.0-150200.3.9.1
    • jackson-annotations-2.13.0-150200.3.6.1
  • Development Tools Module 15-SP3 (noarch)
    • jackson-core-2.13.0-150200.3.6.1
    • jackson-dataformat-cbor-2.13.0-150200.3.3.3
    • jackson-databind-2.13.0-150200.3.9.1
    • jackson-annotations-2.13.0-150200.3.6.1
  • Development Tools Module 15-SP4 (noarch)
    • jackson-dataformat-cbor-2.13.0-150200.3.3.3
  • SUSE Linux Enterprise High Performance Computing 15 SP2 ESPOS 15-SP2 (noarch)
    • jackson-core-2.13.0-150200.3.6.1
    • jackson-dataformat-cbor-2.13.0-150200.3.3.3
    • jackson-databind-2.13.0-150200.3.9.1
    • jackson-annotations-2.13.0-150200.3.6.1
  • SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (noarch)
    • jackson-core-2.13.0-150200.3.6.1
    • jackson-dataformat-cbor-2.13.0-150200.3.3.3
    • jackson-databind-2.13.0-150200.3.9.1
    • jackson-annotations-2.13.0-150200.3.6.1
  • SUSE Linux Enterprise Real Time 15 SP2 (noarch)
    • jackson-core-2.13.0-150200.3.6.1
    • jackson-dataformat-cbor-2.13.0-150200.3.3.3
    • jackson-databind-2.13.0-150200.3.9.1
    • jackson-annotations-2.13.0-150200.3.6.1
  • SUSE Linux Enterprise Server 15 SP2 Business Critical Linux 15-SP2 (noarch)
    • jackson-core-2.13.0-150200.3.6.1
    • jackson-dataformat-cbor-2.13.0-150200.3.3.3
    • jackson-databind-2.13.0-150200.3.9.1
    • jackson-annotations-2.13.0-150200.3.6.1
  • SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (noarch)
    • jackson-core-2.13.0-150200.3.6.1
    • jackson-dataformat-cbor-2.13.0-150200.3.3.3
    • jackson-databind-2.13.0-150200.3.9.1
    • jackson-annotations-2.13.0-150200.3.6.1
  • SUSE Linux Enterprise Server for SAP Applications 15 SP2 (noarch)
    • jackson-core-2.13.0-150200.3.6.1
    • jackson-dataformat-cbor-2.13.0-150200.3.3.3
    • jackson-databind-2.13.0-150200.3.9.1
    • jackson-annotations-2.13.0-150200.3.6.1
  • SUSE Manager Proxy 4.1 (noarch)
    • jackson-core-2.13.0-150200.3.6.1
    • jackson-dataformat-cbor-2.13.0-150200.3.3.3
    • jackson-databind-2.13.0-150200.3.9.1
    • jackson-annotations-2.13.0-150200.3.6.1
  • SUSE Manager Retail Branch Server 4.1 (noarch)
    • jackson-core-2.13.0-150200.3.6.1
    • jackson-dataformat-cbor-2.13.0-150200.3.3.3
    • jackson-databind-2.13.0-150200.3.9.1
    • jackson-annotations-2.13.0-150200.3.6.1
  • SUSE Manager Server 4.1 (noarch)
    • jackson-core-2.13.0-150200.3.6.1
    • jackson-dataformat-cbor-2.13.0-150200.3.3.3
    • jackson-databind-2.13.0-150200.3.9.1
    • jackson-annotations-2.13.0-150200.3.6.1
  • SUSE Enterprise Storage 7 (noarch)
    • jackson-core-2.13.0-150200.3.6.1
    • jackson-dataformat-cbor-2.13.0-150200.3.3.3
    • jackson-databind-2.13.0-150200.3.9.1
    • jackson-annotations-2.13.0-150200.3.6.1

References: