SUSE: 2022:1678-1 important: jackson-databind, jackson-dataformats-binary, jackson-annotat
Summary
This update for jackson-databind, jackson-dataformats-binary,
jackson-annotations, jackson-bom, jackson-core fixes the following issues:
Security issues fixed:
- CVE-2020-36518: Fixed a Java stack overflow exception and denial of
service via a large depth of nested objects in jackson-databind.
(bsc#1197132)
- CVE-2020-25649: Fixed an insecure entity expansion in jackson-databind
which was vulnerable to XML external entity (XXE). (bsc#1177616)
- CVE-2020-28491: Fixed a bug which could cause
`java.lang.OutOfMemoryError` exception in jackson-dataformats-binary.
(bsc#1182481)
Non security fixes:
jackson-annotations - update from version 2.10.2 to version 2.13.0:
+ Build with source/target levels 8
+ Add 'mvnw' wrapper
+ 'JsonSubType.Type' should accept array of names
+ Jackson version alignment with Gradle 6
+ Add '@JsonIncludeProperties'
+ Add '@JsonTypeInfo(use=DEDUCTION)'
+ Ability to use '@JsonAnyGetter' on fields
+ Add '@JsonKey' annotation
+ Allow repeated calls to 'SimpleObjectIdResolver.bindItem()' for same
mapping
+ Add 'namespace' property for '@JsonProperty' (for XML module)
+ Add target 'ElementType.ANNOTATION_TYPE' for '@JsonEnumDefaultValue'
+ 'JsonPattern.Value.pattern' retained as "", never (accidentally)
exposed as 'null'
+ Rewrite to use `ant` for building in order to be able to use it in
packages that have to be built before maven
jackson-bom - update from version 2.10.2 to version 2.13.0:
+ Configure moditect plugin with '
References
#1177616 #1182481 #1197132
Cross- CVE-2020-25649 CVE-2020-28491 CVE-2020-36518
CVSS scores:
CVE-2020-25649 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CVE-2020-25649 (SUSE): 5.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
CVE-2020-28491 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2020-28491 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2020-36518 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE-2020-36518 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Affected Products:
SUSE Enterprise Storage 7
SUSE Linux Enterprise Desktop 15-SP3
SUSE Linux Enterprise Desktop 15-SP4
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS
SUSE Linux Enterprise High Performance Computing 15-SP3
SUSE Linux Enterprise High Performance Computing 15-SP4
SUSE Linux Enterprise Module for Basesystem 15-SP3
SUSE Linux Enterprise Module for Basesystem 15-SP4
SUSE Linux Enterprise Module for Development Tools 15-SP3
SUSE Linux Enterprise Module for Development Tools 15-SP4
SUSE Linux Enterprise Module for SUSE Manager Server 4.3
SUSE Linux Enterprise Realtime Extension 15-SP2
SUSE Linux Enterprise Server 15-SP2-BCL
SUSE Linux Enterprise Server 15-SP2-LTSS
SUSE Linux Enterprise Server 15-SP3
SUSE Linux Enterprise Server 15-SP4
SUSE Linux Enterprise Server for SAP 15-SP2
SUSE Linux Enterprise Server for SAP Applications 15-SP3
SUSE Linux Enterprise Server for SAP Applications 15-SP4
SUSE Manager Proxy 4.1
SUSE Manager Proxy 4.2
SUSE Manager Retail Branch Server 4.1
SUSE Manager Server 4.1
SUSE Manager Server 4.2
SUSE Manager Server 4.3
openSUSE Leap 15.3
openSUSE Leap 15.4
https://www.suse.com/security/cve/CVE-2020-25649.html
https://www.suse.com/security/cve/CVE-2020-28491.html
https://www.suse.com/security/cve/CVE-2020-36518.html
https://bugzilla.suse.com/1177616
https://bugzilla.suse.com/1182481
https://bugzilla.suse.com/1197132