SUSE-SU-2022:1678-1: important: Security update for jackson-databind, jackson-dataformats-binary, jackson-annotations, jackson-bom, jackson-core

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Mon May 16 13:30:17 UTC 2022


   SUSE Security Update: Security update for jackson-databind, jackson-dataformats-binary, jackson-annotations, jackson-bom, jackson-core
______________________________________________________________________________

Announcement ID:    SUSE-SU-2022:1678-1
Rating:             important
References:         #1177616 #1182481 #1197132 
Cross-References:   CVE-2020-25649 CVE-2020-28491 CVE-2020-36518
                   
CVSS scores:
                    CVE-2020-25649 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
                    CVE-2020-25649 (SUSE): 5.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N
                    CVE-2020-28491 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2020-28491 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2020-36518 (NVD) : 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
                    CVE-2020-36518 (SUSE): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Products:
                    SUSE Enterprise Storage 7
                    SUSE Linux Enterprise Desktop 15-SP3
                    SUSE Linux Enterprise Desktop 15-SP4
                    SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS
                    SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS
                    SUSE Linux Enterprise High Performance Computing 15-SP3
                    SUSE Linux Enterprise High Performance Computing 15-SP4
                    SUSE Linux Enterprise Module for Basesystem 15-SP3
                    SUSE Linux Enterprise Module for Basesystem 15-SP4
                    SUSE Linux Enterprise Module for Development Tools 15-SP3
                    SUSE Linux Enterprise Module for Development Tools 15-SP4
                    SUSE Linux Enterprise Module for SUSE Manager Server 4.3
                    SUSE Linux Enterprise Realtime Extension 15-SP2
                    SUSE Linux Enterprise Server 15-SP2-BCL
                    SUSE Linux Enterprise Server 15-SP2-LTSS
                    SUSE Linux Enterprise Server 15-SP3
                    SUSE Linux Enterprise Server 15-SP4
                    SUSE Linux Enterprise Server for SAP 15-SP2
                    SUSE Linux Enterprise Server for SAP Applications 15-SP3
                    SUSE Linux Enterprise Server for SAP Applications 15-SP4
                    SUSE Manager Proxy 4.1
                    SUSE Manager Proxy 4.2
                    SUSE Manager Retail Branch Server 4.1
                    SUSE Manager Server 4.1
                    SUSE Manager Server 4.2
                    SUSE Manager Server 4.3
                    openSUSE Leap 15.3
                    openSUSE Leap 15.4
______________________________________________________________________________

   An update that fixes three vulnerabilities is now available.

Description:

   This update for jackson-databind, jackson-dataformats-binary,
   jackson-annotations, jackson-bom, jackson-core fixes the following issues:

   Security issues fixed:

   - CVE-2020-36518: Fixed a Java stack overflow exception and denial of
     service via a large depth of nested objects in jackson-databind.
     (bsc#1197132)
   - CVE-2020-25649: Fixed an insecure entity expansion in jackson-databind
     which was vulnerable to XML external entity (XXE). (bsc#1177616)
   - CVE-2020-28491: Fixed a bug which could cause
     `java.lang.OutOfMemoryError` exception in jackson-dataformats-binary.
     (bsc#1182481)

   Non security fixes:

   jackson-annotations - update from version 2.10.2 to version 2.13.0:

      + Build with source/target levels 8
      + Add 'mvnw' wrapper
      + 'JsonSubType.Type' should accept array of names
      + Jackson version alignment with Gradle 6
      + Add '@JsonIncludeProperties'
      + Add '@JsonTypeInfo(use=DEDUCTION)'
      + Ability to use '@JsonAnyGetter' on fields
      + Add '@JsonKey' annotation
      + Allow repeated calls to 'SimpleObjectIdResolver.bindItem()' for same
        mapping
      + Add 'namespace' property for '@JsonProperty' (for XML module)
      + Add target 'ElementType.ANNOTATION_TYPE' for '@JsonEnumDefaultValue'
      + 'JsonPattern.Value.pattern' retained as "", never (accidentally)
        exposed as 'null'
      + Rewrite to use `ant` for building in order to be able to use it in
        packages that have to be built before maven

   jackson-bom - update from version 2.10.2 to version 2.13.0:

      + Configure moditect plugin with '<jvmVersion>11</jvmVersion>'
      + jackson-bom manages the version of 'junit:junit'
      + Drop 'jackson-datatype-hibernate3' (support for Hibernate 3.x
        datatypes)
      + Removed "jakarta" classifier variants of JAXB/JSON-P/JAX-RS modules
        due to the addition of new Jakarta artifacts (Jakarta-JSONP,
        Jakarta-xmlbind-annotations, Jakarta-rs-providers)
      + Add version for 'jackson-datatype-jakarta-jsonp' module (introduced
        after 2.12.2)
      + Add (beta) version for 'jackson-dataformat-toml'
      + Jakarta 9 artifact versions are missing from jackson-bom
      + Add default settings for 'gradle-module-metadata-maven-plugin'
        (gradle metadata)
      + Add default settings for 'build-helper-maven-plugin'
      + Drop 'jackson-module-scala_2.10' entry (not released for Jackson 2.12
        or later)
      + Add override for 'version.plugin.bundle' (for 5.1.1) to help build on
        JDK 15+
      + Add missing version for jackson-datatype-eclipse-collections

   jackson-core - update from version 2.10.2 to version 2.13.0:

      + Build with source and target levels 8
      + Misleading exception for input source when processing byte buffer
        with start offset
      + Escape contents of source document snippet for
        'JsonLocation._appendSourceDesc()'
      + Add 'StreamWriteException' type to eventually replace
        'JsonGenerationException'
      + Replace 'getCurrentLocation()'/'getTokenLocation()' with
        'currentLocation()'/'currentTokenLocation()' in 'JsonParser'
      + Replace 'JsonGenerator.writeObject()' (and related) with 'writePOJO()'
      + Replace 'getCurrentValue()'/'setCurrentValue()' with
        'currentValue()'/'assignCurrentValue()' in 'JsonParser'/'JsonGenerator
      + Introduce O(n^1.5) BigDecimal parser implementation
      + ByteQuadsCanonicalizer.addName(String, int, int) has incorrect
        handling for case of q2 == null
      + UTF32Reader ArrayIndexOutOfBoundsException
      + Improve exception/JsonLocation handling for binary content: don't
        show content, include byte offset
      + Fix an issue with the TokenFilter unable to ignore properties when
        deserializing.
      + Optimize array allocation by 'JsonStringEncoder'
      + Add 'mvnw' wrapper
      + (partial) Optimize array allocation by 'JsonStringEncoder'
      + Add back accidentally removed 'JsonStringEncoder' related methods in
        'BufferRecyclers' (like 'getJsonStringEncoder()')
      + 'ArrayOutOfBoundException' at
        'WriterBasedJsonGenerator.writeString(Reader, int)'
      + Allow "optional-padding" for 'Base64Variant'
      + More customizable TokenFilter inclusion (using
        'Tokenfilter.Inclusion')
      + Publish Gradle Module Metadata
      + Add 'StreamReadCapability' for further format-based/format-agnostic
        handling improvements
      + Add 'JsonParser.isExpectedNumberIntToken()' convenience method
      + Add 'StreamWriteCapability' for further format-based/format-agnostic
        handling improvements
      + Add 'JsonParser.getNumberValueExact()' to allow precision-retaining
        buffering
      + Limit initial allocated block size by 'ByteArrayBuilder' to max block
        size
      + Add 'JacksonException' as parent class of 'JsonProcessingException'
      + Make 'JsonWriteContext.reset()' and 'JsonReadContext.reset()' methods
        public
      + Deprecate 'JsonParser.getCurrentTokenId()' (use '#currentTokenId()'
        instead)
      + Full "LICENSE" included in jar for easier access by compliancy tools
      + Fix NPE in 'writeNumber(String)' method of 'UTF8JsonGenerator',
        'WriterBasedJsonGenerator'
      + Add a String Array write method in the Streaming API
      + Synchronize variants of 'JsonGenerator#writeNumberField' with
        'JsonGenerator#writeNumber'
      + Add JsonGenerator#writeNumber(char[], int, int) method
      + Do not clear aggregated contents of 'TextBuffer' when
        'releaseBuffers()' called
      + 'FilteringGeneratorDelegate' does not handle 'writeString(Reader,
        int)'
      + Optionally allow leading decimal in float tokens
      + Rewrite to use ant for building in order to be able to use it in
        packages that have to be built before maven
      + Parsing JSON with 'ALLOW_MISSING_VALUE' enabled results in endless
        stream of 'VALUE_NULL' tokens
      + Handle case when system property access is restricted
      + 'FilteringGeneratorDelegate' does not handle 'writeString(Reader,
        int)'
      + DataFormatMatcher#getMatchedFormatName throws NPE when no match exists
      + 'JsonParser.getCurrentLocation()' byte/char offset update incorrectly
        for big payloads

   jackson-databind - update from version 2.10.5.1 to  version 2.13.0:

      + '@JsonValue' with integer for enum does not deserialize correctly
      + 'AnnotatedMethod.getValue()/setValue()' doesn't have useful exception
        message
      + Add 'DatabindException' as intermediate subtype of
        'JsonMappingException'
      + Jackson does not support deserializing new Java 9 unmodifiable
        collections
      + Allocate TokenBuffer instance via context objects (to allow
        format-specific buffer types)
      + Add mechanism for setting default 'ContextAttributes' for
        'ObjectMapper'
      + Add 'DeserializationContext.readTreeAsValue()' methods for more
        convenient conversions for deserializers to use
      + Clean up support of typed "unmodifiable", "singleton"
        Maps/Sets/Collections
      + Extend internal bitfield of 'MapperFeature' to be 'long'
      + Add 'removeMixIn()' method in 'MapperBuilder'
      + Backport 'MapperBuilder' lambda-taking methods:
        'withConfigOverride()', 'withCoercionConfig()',
        'withCoercionConfigDefaults()'
      + configOverrides(boolean.class) silently ignored, whereas
        .configOverride(Boolean.class) works for both primitives and boxed
        boolean values
      + Dont track unknown props in buffer if 'ignoreAllUnknown' is true
      + Should allow deserialization of java.time types via
         opaque 'JsonToken.VALUE_EMBEDDED_OBJECT'
      + Optimize "AnnotatedConstructor.call()" case by passing explicit null
      + Add AnnotationIntrospector.XmlExtensions interface for decoupling
        javax dependencies
      + Custom SimpleModule not included in list returned by
        ObjectMapper.getRegisteredModuleIds() after registration
      + Use more limiting default visibility settings for JDK types (java.*,
        javax.*)
      + Deep merge for 'JsonNode' using 'ObjectReader.readTree()'
      + IllegalArgumentException: Conflicting setter definitions for property
        with more than 2 setters
      + Serializing java.lang.Thread fails on JDK 11 and above
      + String-based 'Map' key deserializer is not deterministic when there
        is no single arg constructor
      + Add ArrayNode#set(int index, primitive_type value)
      + JsonStreamContext "currentValue" wrongly references to
        '@JsonTypeInfo' annotated object
      + DOM 'Node' serialization omits the default namespace declaration
      + Support 'suppressed' property when deserializing 'Throwable'
      + 'AnnotatedMember.equals()' does not work reliably
      + Add 'MapperFeature.APPLY_DEFAULT_VALUES', initially for Scala module
      + For an absent property Jackson injects 'NullNode' instead of 'null'
        to a JsonNode-typed constructor argument of a
        '@ConstructorProperties'-annotated constructor
      + 'XMLGregorianCalendar' doesn't work with default typing
      + Content 'null' handling not working for root values
      + StdDeserializer rejects blank (all-whitespace) strings for ints
      + 'USE_BASE_TYPE_AS_DEFAULT_IMPL' not working with
        'DefaultTypeResolverBuilder'
      + Add PropertyNamingStrategies.UpperSnakeCaseStrategy (and
        UPPER_SNAKE_CASE constant)
      + StackOverflowError when serializing JsonProcessingException
      + Support for BCP 47 'java.util.Locale' serialization/deserialization
      + String property deserializes null as "null" for
        JsonTypeInfo.As.EXISTING_PROPERTY
      + Can not deserialize json to enum value with Object-/Array-valued
        input, '@JsonCreator'
      + Fix to avoid problem with 'BigDecimalNode', scale of
        'Integer.MIN_VALUE'
      + Extend handling of 'FAIL_ON_NULL_FOR_PRIMITIVES' to cover coercion
        from (Empty) String via 'AsNull'
      + Add 'mvnw' wrapper
      + (regression) Factory method generic type resolution does not use
        Class-bound type parameter
      + Deserialization of "empty" subtype with DEDUCTION failed
      + Merge findInjectableValues() results in AnnotationIntrospectorPair
      + READ_UNKNOWN_ENUM_VALUES_USING_DEFAULT_VALUE doesn't work with empty
        strings
      + 'TypeFactory' cannot convert 'Collection' sub-type without type
        parameters to canonical form and back
       + Fix for [modules-java8#207]: prevent fail on secondary Java 8
         date/time types
      + EXTERNAL_PROPERTY does not work well with '@JsonCreator' and
        'FAIL_ON_UNKNOWN_PROPERTIES'
      + String property deserializes null as "null" for
        'JsonTypeInfo.As.EXTERNAL_PROPERTY'
      + Property ignorals cause 'BeanDeserializer 'to forget how to read from
        arrays (not copying '_arrayDelegateDeserializer')
      + UntypedObjectDeserializer' mixes multiple unwrapped collections
        (related to #2733)
      + Two cases of incorrect error reporting about DeserializationFeature
      + Bug in polymorphic deserialization with '@JsonCreator',
        '@JsonAnySetter', 'JsonTypeInfo.As.EXTERNAL_PROPERTY'
      + Polymorphic subtype deduction ignores 'defaultImpl' attribute
      + MismatchedInputException: Cannot deserialize instance
         of 'com.fasterxml.jackson.databind.node.ObjectNode' out of
   VALUE_NULL token
      + Missing override for 'hasAsKey()' in 'AnnotationIntrospectorPair'
      + Creator lookup fails with 'InvalidDefinitionException' for conflict
        between single-double/single-Double arg constructor
      + 'MapDeserializer' forcing 'JsonMappingException' wrapping even if
        WRAP_EXCEPTIONS set to false
      + Auto-detection of constructor-based creator method skipped if there
        is an annotated factory-based creator method (regression from 2.11)
      + 'ObjectMapper.treeToValue()' no longer invokes
        'JsonDeserializer.getNullValue()'
      + DeserializationProblemHandler is not invoked when trying to
        deserialize String
      + Fix failing 'double' JsonCreators in jackson 2.12.0
      + Conflicting in POJOPropertiesCollector when having namingStrategy
      + Breaking API change in 'BasicClassIntrospector' (2.12.0)
      + 'JsonNode.requiredAt()' does NOT fail on some path expressions
      + Exception thrown when 'Collections.synchronizedList()' is serialized
        with type info, deserialized
      + Add option to resolve type from multiple existing properties,
        '@JsonTypeInfo(use=DEDUCTION)'
      + '@JsonIgnoreProperties' does not prevent Exception Conflicting
        getter/setter definitions for property
      + Deserialization Not Working Right with Generic Types and Builders
      + Add '@JsonIncludeProperties(propertyNames)' (reverse of
        '@JsonIgnoreProperties')
      + '@JsonAnyGetter' should be allowed on a field
      + Allow handling of single-arg constructor as property based by default
      + Allow case insensitive deserialization of String value into
        'boolean'/'Boolean' (esp for Excel)
      + Allow use of '@JsonFormat(with=JsonFormat.Feature
        .ACCEPT_CASE_INSENSITIVE_PROPERTIES)' on Class
      + Abstract class included as part of known type ids for error message
        when using JsonSubTypes
      + Distinguish null from empty string for UUID deserialization
      + 'ReferenceType' does not expose valid containedType
      + Add 'CoercionConfig[s]' mechanism for configuring allowed coercions
      + 'JsonProperty.Access.READ_ONLY' does not work with "getter-as-setter"
        'Collection's
      + Support 'BigInteger' and 'BigDecimal' creators in
        'StdValueInstantiator'
      + 'JsonProperty.Access.READ_ONLY' fails with collections when a
        property name is specified
      + 'BigDecimal' precision not retained for polymorphic deserialization
      + Support use of 'Void' valued properties
        ('MapperFeature.ALLOW_VOID_VALUED_PROPERTIES')
      + Explicitly fail (de)serialization of 'java.time.*' types in absence
        of registered custom (de)serializers
      + Improve description included in by
        'DeserializationContext.handleUnexpectedToken()'
      + Support for JDK 14 record types ('java.lang.Record')
      + 'PropertyNamingStrategy' class initialization depends
         on its subclass, this can lead to class loading deadlock
      + 'FAIL_ON_IGNORED_PROPERTIES' does not throw on 'READONLY' properties
        with an explicit name
      + Add Gradle Module Metadata for version alignment with Gradle 6
      + Allow 'JsonNode' auto-convert into 'ArrayNode' if duplicates found
        (for XML)
      + Allow values of "untyped" auto-convert into 'List' if duplicates
        found (for XML)
      + Add 'ValueInstantiator.createContextual(...)
      + Support multiple names in 'JsonSubType.Type'
      + Disabling 'FAIL_ON_INVALID_SUBTYPE' breaks polymorphic
        deserialization of Enums
      + Explicitly fail (de)serialization of 'org.joda.time.*' types in
        absence of registered custom (de)serializers
      + Trailing zeros are stripped when deserializing BigDecimal values
        inside a @JsonUnwrapped property
      + Extract getter/setter/field name mangling from 'BeanUtil' into
        pluggable 'AccessorNamingStrategy'
      + Throw 'InvalidFormatException' instead of 'MismatchedInputException'
        for ACCEPT_FLOAT_AS_INT coercion failures
      + Add '@JsonKey' annotation (similar to '@JsonValue') for customizable
        serialization of Map keys
      + 'MapperFeature.ACCEPT_CASE_INSENSITIVE_ENUMS' should work for enum as
        keys
      + Add support for disabling special handling of "Creator properties"
        wrt alphabetic property ordering
      + Add 'JsonNode.canConvertToExactIntegral()' to indicate whether
        floating-point/BigDecimal values could be converted to integers
        losslessly
      + Improve static factory method generic type resolution logic
      + Allow preventing "Enum from integer" coercion using new
        'CoercionConfig' system
      + '@JsonValue' not considered when evaluating inclusion
      + Make some java platform modules optional
      + Add support for serializing 'java.sql.Blob'
      + 'AnnotatedCreatorCollector' should avoid processing synthetic static
        (factory) methods
      + Add errorprone static analysis profile to detect bugs at build time
      + Problem with implicit creator name detection for constructor detection
      + Add 'BeanDeserializerBase.isCaseInsensitive()'
      + Refactoring of 'CollectionDeserializer' to solve CSV array handling
        issues
      + Full "LICENSE" included in jar for easier access by compliancy tools
      + Fix type resolution for static methods (regression in 2.11.3)
      + '@JsonCreator' on constructor not compatible with
        '@JsonIdentityInfo', 'PropertyGenerator'
      + Add debug improvements about 'ClassUtil.getClassMethods()'
      + Cannot detect creator arguments of mixins for JDK types
      + Add 'JsonFormat.Shape' awareness for UUID serialization
        ('UUIDSerializer')
      + Json serialization fails or a specific case that contains generics
        and static methods with generic parameters (2.11.1 -> 2.11.2
        regression)
      + 'ObjectMapper.activateDefaultTypingAsProperty()' is not using
        parameter 'PolymorphicTypeValidator'
      + Problem deserialization "raw generic" fields (like 'Map') in 2.11.2
      + Fix issues with 'MapLikeType.isTrueMapType()',
        'CollectionLikeType.isTrueCollectionType()'
      + Parser/Generator features not set when using
        'ObjectMapper.createParser()', 'createGenerator()'
      + Polymorphic subtypes not registering on copied ObjectMapper (2.11.1)
      + Failure to read AnnotatedField value in Jackson 2.11
      + 'TypeFactory.constructType()' does not take 'TypeBindings' correctly
      + Builder Deserialization with JsonCreator Value vs Array
      + JsonCreator on static method in Enum and Enum used as key in map
        fails randomly
      + 'StdSubtypeResolver' is not thread safe (possibly due to copy not
        being made with 'ObjectMapper.copy()')
      + "Conflicting setter definitions for property" exception for 'Map'
        subtype during deserialization
      + Fail to deserialize local Records
      + Rearranging of props when property-based generator is in use leads to
        incorrect output
      + Jackson doesn't respect 'CAN_OVERRIDE_ACCESS_MODIFIERS=false' for
        deserializer properties
      + 'DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS' don't support
        'Map' type field
      + JsonParser from MismatchedInputException cannot getText() for
        floating-point value
      + i-I case conversion problem in Turkish locale with case-insensitive
        deserialization
      + '@JsonInject' fails on trying to find deserializer even if inject-only
      + Polymorphic deserialization should handle case-insensitive Type Id
        property name if 'MapperFeature.ACCEPT_CASE_INSENSITIVE_PROPERTIES'
        is enabled
      + TreeTraversingParser and UTF8StreamJsonParser create contexts
        differently
      + Support use of '@JsonAlias' for enum values
      + 'declaringClass' of "enum-as-POJO" not removed for 'ObjectMapper'
        with a naming strategy
      + Fix 'JavaType.isEnumType()' to support sub-classes
      + BeanDeserializerBuilder Protected Factory Method for Extension
      + Support '@JsonSerialize(keyUsing)' and '@JsonDeserialize(keyUsing)'
        on Key class
      + Add 'SerializationFeature.WRITE_SELF_REFERENCES_AS_NULL'
      + 'ObjectMapper.registerSubtypes(NamedType...)' doesn't allow
        registering same POJO for two different type ids
      + 'DeserializationContext.handleMissingInstantiator()' throws
        'MismatchedInputException' for non-static inner classes
      + Incorrect 'JsonStreamContext' for 'TokenBuffer' and
        'TreeTraversingParser'
      + Add 'AnnotationIntrospector.findRenameByField()' to support Kotlin's
        "is-getter" naming convention
      + Use '@JsonProperty(index)' for sorting properties on serialization
      + Java 8 'Optional' not working with '@JsonUnwrapped' on unwrappable
        type
      + Add 'MapperFeature.BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES' to allow
        blocking use of unsafe base type for polymorphic deserialization
      + 'ObjectMapper.setSerializationInclusion()' is ignored for
        'JsonAnyGetter'
      + 'ValueInstantiationException' when deserializing using a builder and
        'UNWRAP_SINGLE_VALUE_ARRAYS'
      + JsonIgnoreProperties(ignoreUnknown = true) does not work on field and
        method level
      + Failure to resolve generic type parameters on serialization
      + JsonParser cannot getText() for input stream on
        MismatchedInputException
      + ObjectReader readValue lacks Class<T> argument
      + Change default textual serialization of 'java.util.Date'/'Calendar'
        to include colon in timezone
         offset
      + Add 'ObjectMapper.createParser()' and 'createGenerator()' methods
      + Allow serialization of 'Properties' with non-String values
      + Add new factory method for creating custom 'EnumValues' to pass to
        'EnumDeserializer
      + 'IllegalArgumentException' thrown for mismatched subclass
        deserialization
      + Add convenience methods for creating 'List', 'Map' valued
        'ObjectReader's (ObjectMapper.readerForListOf())
      + 'SerializerProvider.findContentValueSerializer()' methods

   jackson-dataformats-binary - update from version 2.10.1 to version 2.13.0:

      + (cbor) Should validate UTF-8 multi-byte validity for short decode
        path too
      + (ion) Deprecate 'CloseSafeUTF8Writer', remove use
      + (smile) Make 'SmileFactory' support
        'JsonFactory.Feature.CANONICALIZE_FIELD_NAMES'
      + (cbor) Make 'CBORFactory' support
        'JsonFactory.Feature.CANONICALIZE_FIELD_NAMES'
      + (cbor) Handle case of BigDecimal with Integer.MIN_VALUE for scale
        gracefully
      + (cbor) Uncaught exception in CBORParser._nextChunkedByte2 (by
        ossfuzzer)
      + (cbor) Another uncaught exception in CBORParser._nextChunkedByte2 (by
        ossfuzzer)
      + (smile) Add 'SmileGenerator.Feature.LENIENT_UTF_ENCODING' for lenient
        handling of broken Unicode surrogate pairs on writing
      + (avro) Add 'logicalType' support for some 'java.time' types; add
        'AvroJavaTimeModule' for native ser/deser
      + Support base64 strings in 'getBinaryValue()' for CBOR and Smile
      + (cbor) 'ArrayIndexOutOfBounds' for truncated UTF-8 name
      + (avro) Generate logicalType switch
      + (smile) 'ArrayIndexOutOfBounds' for truncated UTF-8 name
      + (ion) 'jackson-dataformat-ion' does not handle null.struct
        deserialization correctly
      + 'Ion-java' dep 1.4.0 -> 1.8.0
      + Minor change to Ion module registration names (fully-qualified)
      + (cbor) Uncaught exception in CBORParser._nextChunkedByte2 (by
        ossfuzzer)
      + (cbor) Uncaught exception in CBORParser._findDecodedFromSymbols() (by
        ossfuzzer)
      + (smile) Uncaught validation problem wrt Smile "BigDecimal" type
      + (smile) ArrayIndexOutOfBoundsException for malformed Smile header
      + (cbor) Failed to handle case of alleged String with length of
        Integer.MAX_VALUE
      + (smile) Allocate byte[] lazily for longer Smile binary data payloads
      + (cbor) CBORParser need to validate zero-length byte[] for BigInteger
      + (smile) Handle invalid chunked-binary-format length gracefully
      + (smile) Allocate byte[] lazily for longer Smile binary data payloads
        (7-bit encoded)
      + (smile)  ArrayIndexOutOfBoundsException in
        SmileParser._decodeShortUnicodeValue()
      + (smile) Handle sequence of Smile header markers without recursion
      + (cbor) CBOR loses 'Map' entries with specific 'long' Map key values
        (32-bit boundary)
      + (ion) Ion Polymorphic deserialization in 2.12 breaks wrt use of
        Native Type Ids when upgrading from 2.8
      + (cbor) 'ArrayIndexOutOfBoundsException' in 'CBORParser' for invalid
        UTF-8 String
      + (cbor) Handle invalid CBOR content like '[0x84]' (incomplete array)
      + (ion) Respect 'WRITE_ENUMS_USING_TO_STRING' in
        'EnumAsIonSymbolSerializer'
      + (ion) Add support for generating IonSexps
      + (ion) Add support for deserializing IonTimestamps and IonBlobs
      + (ion) Add 'IonObjectMapper.builderForBinaryWriters()' /
        '.builderforTextualWriters()' convenience methods
      + (ion) Enabling pretty-printing fails Ion serialization
      + (ion) Allow disabling native type ids in IonMapper
      + (smile) Small bug in byte-alignment for long field names in Smile,
        symbol table reuse
      + (ion) Add 'IonFactory.getIonSystem()' accessor
      + (ion) Optimize 'IonParser.getNumberType()' using
        'IonReader.getIntegerSize()'
      + (cbor) Add 'CBORGenerator.Feature.LENIENT_UTF_ENCODING' for lenient
        handling of Unicode surrogate pairs on writing
      + (cbor) Add support for decoding unassigned "simple values" (type 7)
      + Add Gradle Module Metadata
        (https://blog.gradle.org/alignment-with-gradle-module-metadata)
      + (avro) Cache record names to avoid hitting class loader
      + (avro) Avro null deserialization
      + (ion) Add 'IonFactory.getIonSystem()' accessor
      + (avro) Add 'AvroGenerator.canWriteBinaryNatively()' to support binary
        writes, fix 'java.util.UUID' representation
      + (ion) Allow 'IonObjectMapper' with class name annotation introspector
        to deserialize generic subtypes
      + Remove dependencies upon Jackson 1.X and Avro's JacksonUtils
      + 'jackson-databind' should not be full dependency for (cbor, protobuf,
        smile) modules
      + 'CBORGenerator.Feature.WRITE_MINIMAL_INTS' does not write most
        compact form for all integers
      + 'AvroGenerator' overrides 'getOutputContext()' properly
      + (ion) Add 'IonFactory.getIonSystem()' accessor
      + (avro) Fix schema evolution involving maps of non-scalar
      + (protobuf) Parsing a protobuf message doesn't properly skip unknown
        fields
      + (ion) IonObjectMapper close()s the provided IonWriter unnecessarily
      + ion-java dependency 1.4.0 -> 1.5.1


Patch Instructions:

   To install this SUSE Security Update use the SUSE recommended installation methods
   like YaST online_update or "zypper patch".

   Alternatively you can run the command listed for your product:

   - openSUSE Leap 15.4:

      zypper in -t patch openSUSE-SLE-15.4-2022-1678=1

   - openSUSE Leap 15.3:

      zypper in -t patch openSUSE-SLE-15.3-2022-1678=1

   - SUSE Manager Server 4.1:

      zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.1-2022-1678=1

   - SUSE Manager Retail Branch Server 4.1:

      zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.1-2022-1678=1

   - SUSE Manager Proxy 4.1:

      zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.1-2022-1678=1

   - SUSE Linux Enterprise Server for SAP 15-SP2:

      zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2022-1678=1

   - SUSE Linux Enterprise Server 15-SP2-LTSS:

      zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2022-1678=1

   - SUSE Linux Enterprise Server 15-SP2-BCL:

      zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-BCL-2022-1678=1

   - SUSE Linux Enterprise Realtime Extension 15-SP2:

      zypper in -t patch SUSE-SLE-Product-RT-15-SP2-2022-1678=1

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.3:

      zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.3-2022-1678=1

   - SUSE Linux Enterprise Module for Development Tools 15-SP4:

      zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP4-2022-1678=1

   - SUSE Linux Enterprise Module for Development Tools 15-SP3:

      zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2022-1678=1

   - SUSE Linux Enterprise Module for Basesystem 15-SP4:

      zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2022-1678=1

   - SUSE Linux Enterprise Module for Basesystem 15-SP3:

      zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2022-1678=1

   - SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS:

      zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2022-1678=1

   - SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS:

      zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-ESPOS-2022-1678=1

   - SUSE Enterprise Storage 7:

      zypper in -t patch SUSE-Storage-7-2022-1678=1



Package List:

   - openSUSE Leap 15.4 (noarch):

      jackson-annotations-2.13.0-150200.3.6.1
      jackson-annotations-javadoc-2.13.0-150200.3.6.1
      jackson-bom-2.13.0-150200.3.3.1
      jackson-core-2.13.0-150200.3.6.1
      jackson-core-javadoc-2.13.0-150200.3.6.1
      jackson-databind-2.13.0-150200.3.9.1
      jackson-databind-javadoc-2.13.0-150200.3.9.1
      jackson-dataformat-cbor-2.13.0-150200.3.3.3
      jackson-dataformat-smile-2.13.0-150200.3.3.3
      jackson-dataformats-binary-2.13.0-150200.3.3.3
      jackson-dataformats-binary-javadoc-2.13.0-150200.3.3.3

   - openSUSE Leap 15.3 (noarch):

      jackson-annotations-2.13.0-150200.3.6.1
      jackson-annotations-javadoc-2.13.0-150200.3.6.1
      jackson-bom-2.13.0-150200.3.3.1
      jackson-core-2.13.0-150200.3.6.1
      jackson-core-javadoc-2.13.0-150200.3.6.1
      jackson-databind-2.13.0-150200.3.9.1
      jackson-databind-javadoc-2.13.0-150200.3.9.1
      jackson-dataformat-cbor-2.13.0-150200.3.3.3
      jackson-dataformat-smile-2.13.0-150200.3.3.3
      jackson-dataformats-binary-2.13.0-150200.3.3.3
      jackson-dataformats-binary-javadoc-2.13.0-150200.3.3.3

   - SUSE Manager Server 4.1 (noarch):

      jackson-annotations-2.13.0-150200.3.6.1
      jackson-core-2.13.0-150200.3.6.1
      jackson-databind-2.13.0-150200.3.9.1
      jackson-dataformat-cbor-2.13.0-150200.3.3.3

   - SUSE Manager Retail Branch Server 4.1 (noarch):

      jackson-annotations-2.13.0-150200.3.6.1
      jackson-core-2.13.0-150200.3.6.1
      jackson-databind-2.13.0-150200.3.9.1
      jackson-dataformat-cbor-2.13.0-150200.3.3.3

   - SUSE Manager Proxy 4.1 (noarch):

      jackson-annotations-2.13.0-150200.3.6.1
      jackson-core-2.13.0-150200.3.6.1
      jackson-databind-2.13.0-150200.3.9.1
      jackson-dataformat-cbor-2.13.0-150200.3.3.3

   - SUSE Linux Enterprise Server for SAP 15-SP2 (noarch):

      jackson-annotations-2.13.0-150200.3.6.1
      jackson-core-2.13.0-150200.3.6.1
      jackson-databind-2.13.0-150200.3.9.1
      jackson-dataformat-cbor-2.13.0-150200.3.3.3

   - SUSE Linux Enterprise Server 15-SP2-LTSS (noarch):

      jackson-annotations-2.13.0-150200.3.6.1
      jackson-core-2.13.0-150200.3.6.1
      jackson-databind-2.13.0-150200.3.9.1
      jackson-dataformat-cbor-2.13.0-150200.3.3.3

   - SUSE Linux Enterprise Server 15-SP2-BCL (noarch):

      jackson-annotations-2.13.0-150200.3.6.1
      jackson-core-2.13.0-150200.3.6.1
      jackson-databind-2.13.0-150200.3.9.1
      jackson-dataformat-cbor-2.13.0-150200.3.3.3

   - SUSE Linux Enterprise Realtime Extension 15-SP2 (noarch):

      jackson-annotations-2.13.0-150200.3.6.1
      jackson-core-2.13.0-150200.3.6.1
      jackson-databind-2.13.0-150200.3.9.1
      jackson-dataformat-cbor-2.13.0-150200.3.3.3

   - SUSE Linux Enterprise Module for SUSE Manager Server 4.3 (noarch):

      jackson-annotations-2.13.0-150200.3.6.1
      jackson-core-2.13.0-150200.3.6.1
      jackson-databind-2.13.0-150200.3.9.1

   - SUSE Linux Enterprise Module for Development Tools 15-SP4 (noarch):

      jackson-dataformat-cbor-2.13.0-150200.3.3.3

   - SUSE Linux Enterprise Module for Development Tools 15-SP3 (noarch):

      jackson-annotations-2.13.0-150200.3.6.1
      jackson-core-2.13.0-150200.3.6.1
      jackson-databind-2.13.0-150200.3.9.1
      jackson-dataformat-cbor-2.13.0-150200.3.3.3

   - SUSE Linux Enterprise Module for Basesystem 15-SP4 (noarch):

      jackson-annotations-2.13.0-150200.3.6.1
      jackson-core-2.13.0-150200.3.6.1
      jackson-databind-2.13.0-150200.3.9.1

   - SUSE Linux Enterprise Module for Basesystem 15-SP3 (noarch):

      jackson-annotations-2.13.0-150200.3.6.1
      jackson-annotations-javadoc-2.13.0-150200.3.6.1
      jackson-core-2.13.0-150200.3.6.1
      jackson-core-javadoc-2.13.0-150200.3.6.1
      jackson-databind-2.13.0-150200.3.9.1
      jackson-databind-javadoc-2.13.0-150200.3.9.1

   - SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (noarch):

      jackson-annotations-2.13.0-150200.3.6.1
      jackson-core-2.13.0-150200.3.6.1
      jackson-databind-2.13.0-150200.3.9.1
      jackson-dataformat-cbor-2.13.0-150200.3.3.3

   - SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (noarch):

      jackson-annotations-2.13.0-150200.3.6.1
      jackson-core-2.13.0-150200.3.6.1
      jackson-databind-2.13.0-150200.3.9.1
      jackson-dataformat-cbor-2.13.0-150200.3.3.3

   - SUSE Enterprise Storage 7 (noarch):

      jackson-annotations-2.13.0-150200.3.6.1
      jackson-core-2.13.0-150200.3.6.1
      jackson-databind-2.13.0-150200.3.9.1
      jackson-dataformat-cbor-2.13.0-150200.3.3.3


References:

   https://www.suse.com/security/cve/CVE-2020-25649.html
   https://www.suse.com/security/cve/CVE-2020-28491.html
   https://www.suse.com/security/cve/CVE-2020-36518.html
   https://bugzilla.suse.com/1177616
   https://bugzilla.suse.com/1182481
   https://bugzilla.suse.com/1197132



More information about the sle-security-updates mailing list