-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.2385
                   Security update for jackson-databind,
             jackson-dataformats-binary, jackson-annotations,
                         jackson-bom, jackson-core
                                17 May 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           jackson-databind, jackson-dataformats-binary, jackson-annotations, jackson-bom, jackson-core
Publisher:         SUSE
Operating System:  SUSE
Resolution:        Patch/Upgrade
CVE Names:         CVE-2020-36518 CVE-2020-28491 CVE-2020-25649

Original Bulletin: 
   https://www.suse.com/support/update/announcement/2022/suse-su-20221678-1

Comment: CVSS (Max):  7.5 CVE-2020-36518 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
         CVSS Source: SUSE
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

SUSE Security Update: Security update for jackson-databind,
jackson-dataformats-binary, jackson-annotations, jackson-bom, jackson-core

______________________________________________________________________________

Announcement ID:   SUSE-SU-2022:1678-1
Rating:            important
References:        #1177616 #1182481 #1197132
Cross-References:  CVE-2020-25649 CVE-2020-28491 CVE-2020-36518
Affected Products:
                   SUSE Enterprise Storage 7
                   SUSE Linux Enterprise Desktop 15-SP3
                   SUSE Linux Enterprise Desktop 15-SP4
                   SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS
                   SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS
                   SUSE Linux Enterprise High Performance Computing 15-SP3
                   SUSE Linux Enterprise High Performance Computing 15-SP4
                   SUSE Linux Enterprise Module for Basesystem 15-SP3
                   SUSE Linux Enterprise Module for Basesystem 15-SP4
                   SUSE Linux Enterprise Module for Development Tools 15-SP3
                   SUSE Linux Enterprise Module for Development Tools 15-SP4
                   SUSE Linux Enterprise Module for SUSE Manager Server 4.3
                   SUSE Linux Enterprise Realtime Extension 15-SP2
                   SUSE Linux Enterprise Server 15-SP2-BCL
                   SUSE Linux Enterprise Server 15-SP2-LTSS
                   SUSE Linux Enterprise Server 15-SP3
                   SUSE Linux Enterprise Server 15-SP4
                   SUSE Linux Enterprise Server for SAP 15-SP2
                   SUSE Linux Enterprise Server for SAP Applications 15-SP3
                   SUSE Linux Enterprise Server for SAP Applications 15-SP4
                   SUSE Manager Proxy 4.1
                   SUSE Manager Proxy 4.2
                   SUSE Manager Retail Branch Server 4.1
                   SUSE Manager Server 4.1
                   SUSE Manager Server 4.2
                   SUSE Manager Server 4.3
                   openSUSE Leap 15.3
                   openSUSE Leap 15.4
______________________________________________________________________________

An update that fixes three vulnerabilities is now available.

Description:

This update for jackson-databind, jackson-dataformats-binary,
jackson-annotations, jackson-bom, jackson-core fixes the following issues:
Security issues fixed:

  o CVE-2020-36518: Fixed a Java stack overflow exception and denial of service
    via a large depth of nested objects in jackson-databind. (bsc#1197132)
  o CVE-2020-25649: Fixed an insecure entity expansion in jackson-databind
    which was vulnerable to XML external entity (XXE). (bsc#1177616)
  o CVE-2020-28491: Fixed a bug which could cause `java.lang.OutOfMemoryError`
    exception in jackson-dataformats-binary. (bsc#1182481)


Non security fixes:
jackson-annotations - update from version 2.10.2 to version 2.13.0:
+ Build with source/target levels 8 + Add 'mvnw' wrapper + 'JsonSubType.Type'
should accept array of names + Jackson version alignment with Gradle 6 + Add
'@JsonIncludeProperties' + Add '@JsonTypeInfo(use=DEDUCTION)' + Ability to use
'@JsonAnyGetter' on fields + Add '@JsonKey' annotation + Allow repeated calls
to 'SimpleObjectIdResolver.bindItem()' for same mapping + Add 'namespace'
property for '@JsonProperty' (for XML module) + Add target
'ElementType.ANNOTATION_TYPE' for '@JsonEnumDefaultValue' +
'JsonPattern.Value.pattern' retained as "", never (accidentally) exposed as
'null' + Rewrite to use `ant` for building in order to be able to use it in
packages that have to be built before maven
jackson-bom - update from version 2.10.2 to version 2.13.0:
+ Configure moditect plugin with ' 11 ' + jackson-bom manages the version of
'junit:junit' + Drop 'jackson-datatype-hibernate3' (support for Hibernate 3.x
datatypes) + Removed "jakarta" classifier variants of JAXB/JSON-P/JAX-RS
modules due to the addition of new Jakarta artifacts (Jakarta-JSONP,
Jakarta-xmlbind-annotations, Jakarta-rs-providers) + Add version for
'jackson-datatype-jakarta-jsonp' module (introduced after 2.12.2) + Add (beta)
version for 'jackson-dataformat-toml' + Jakarta 9 artifact versions are missing
from jackson-bom + Add default settings for
'gradle-module-metadata-maven-plugin' (gradle metadata) + Add default settings
for 'build-helper-maven-plugin' + Drop 'jackson-module-scala_2.10' entry (not
released for Jackson 2.12 or later) + Add override for 'version.plugin.bundle'
(for 5.1.1) to help build on JDK 15+ + Add missing version for
jackson-datatype-eclipse-collections
jackson-core - update from version 2.10.2 to version 2.13.0:
+ Build with source and target levels 8 + Misleading exception for input source
when processing byte buffer with start offset + Escape contents of source
document snippet for 'JsonLocation._appendSourceDesc()' + Add
'StreamWriteException' type to eventually replace 'JsonGenerationException' +
Replace 'getCurrentLocation()'/'getTokenLocation()' with 'currentLocation()'/
'currentTokenLocation()' in 'JsonParser' + Replace 'JsonGenerator.writeObject()
' (and related) with 'writePOJO()' + Replace 'getCurrentValue()'/
'setCurrentValue()' with 'currentValue()'/'assignCurrentValue()' in
'JsonParser'/'JsonGenerator + Introduce O(n^1.5) BigDecimal parser
implementation + ByteQuadsCanonicalizer.addName(String, int, int) has incorrect
handling for case of q2 == null + UTF32Reader ArrayIndexOutOfBoundsException +
Improve exception/JsonLocation handling for binary content: don't show content,
include byte offset + Fix an issue with the TokenFilter unable to ignore
properties when deserializing. + Optimize array allocation by
'JsonStringEncoder' + Add 'mvnw' wrapper + (partial) Optimize array allocation
by 'JsonStringEncoder' + Add back accidentally removed 'JsonStringEncoder'
related methods in 'BufferRecyclers' (like 'getJsonStringEncoder()') +
'ArrayOutOfBoundException' at 'WriterBasedJsonGenerator.writeString(Reader,
int)' + Allow "optional-padding" for 'Base64Variant' + More customizable
TokenFilter inclusion (using 'Tokenfilter.Inclusion') + Publish Gradle Module
Metadata + Add 'StreamReadCapability' for further format-based/format-agnostic
handling improvements + Add 'JsonParser.isExpectedNumberIntToken()' convenience
method + Add 'StreamWriteCapability' for further format-based/format-agnostic
handling improvements + Add 'JsonParser.getNumberValueExact()' to allow
precision-retaining buffering + Limit initial allocated block size by
'ByteArrayBuilder' to max block size + Add 'JacksonException' as parent class
of 'JsonProcessingException' + Make 'JsonWriteContext.reset()' and
'JsonReadContext.reset()' methods public + Deprecate
'JsonParser.getCurrentTokenId()' (use '#currentTokenId()' instead) + Full
"LICENSE" included in jar for easier access by compliancy tools + Fix NPE in
'writeNumber(String)' method of 'UTF8JsonGenerator', 'WriterBasedJsonGenerator'
+ Add a String Array write method in the Streaming API + Synchronize variants
of 'JsonGenerator#writeNumberField' with 'JsonGenerator#writeNumber' + Add
JsonGenerator#writeNumber(char[], int, int) method + Do not clear aggregated
contents of 'TextBuffer' when 'releaseBuffers()' called +
'FilteringGeneratorDelegate' does not handle 'writeString(Reader, int)' +
Optionally allow leading decimal in float tokens + Rewrite to use ant for
building in order to be able to use it in packages that have to be built before
maven + Parsing JSON with 'ALLOW_MISSING_VALUE' enabled results in endless
stream of 'VALUE_NULL' tokens + Handle case when system property access is
restricted + 'FilteringGeneratorDelegate' does not handle 'writeString(Reader,
int)' + DataFormatMatcher#getMatchedFormatName throws NPE when no match exists
+ 'JsonParser.getCurrentLocation()' byte/char offset update incorrectly for big
payloads
jackson-databind - update from version 2.10.5.1 to version 2.13.0:
+ '@JsonValue' with integer for enum does not deserialize correctly +
'AnnotatedMethod.getValue()/setValue()' doesn't have useful exception message +
Add 'DatabindException' as intermediate subtype of 'JsonMappingException' +
Jackson does not support deserializing new Java 9 unmodifiable collections +
Allocate TokenBuffer instance via context objects (to allow format-specific
buffer types) + Add mechanism for setting default 'ContextAttributes' for
'ObjectMapper' + Add 'DeserializationContext.readTreeAsValue()' methods for
more convenient conversions for deserializers to use + Clean up support of
typed "unmodifiable", "singleton" Maps/Sets/Collections + Extend internal
bitfield of 'MapperFeature' to be 'long' + Add 'removeMixIn()' method in
'MapperBuilder' + Backport 'MapperBuilder' lambda-taking methods:
'withConfigOverride()', 'withCoercionConfig()', 'withCoercionConfigDefaults()'
+ configOverrides(boolean.class) silently ignored, whereas .configOverride
(Boolean.class) works for both primitives and boxed boolean values + Dont track
unknown props in buffer if 'ignoreAllUnknown' is true + Should allow
deserialization of java.time types via opaque 'JsonToken.VALUE_EMBEDDED_OBJECT'
+ Optimize "AnnotatedConstructor.call()" case by passing explicit null + Add
AnnotationIntrospector.XmlExtensions interface for decoupling javax
dependencies + Custom SimpleModule not included in list returned by
ObjectMapper.getRegisteredModuleIds() after registration + Use more limiting
default visibility settings for JDK types (java.*, javax.*) + Deep merge for
'JsonNode' using 'ObjectReader.readTree()' + IllegalArgumentException:
Conflicting setter definitions for property with more than 2 setters +
Serializing java.lang.Thread fails on JDK 11 and above + String-based 'Map' key
deserializer is not deterministic when there is no single arg constructor + Add
ArrayNode#set(int index, primitive_type value) + JsonStreamContext
"currentValue" wrongly references to '@JsonTypeInfo' annotated object + DOM
'Node' serialization omits the default namespace declaration + Support
'suppressed' property when deserializing 'Throwable' + 'AnnotatedMember.equals
()' does not work reliably + Add 'MapperFeature.APPLY_DEFAULT_VALUES',
initially for Scala module + For an absent property Jackson injects 'NullNode'
instead of 'null' to a JsonNode-typed constructor argument of a
'@ConstructorProperties'-annotated constructor + 'XMLGregorianCalendar' doesn't
work with default typing + Content 'null' handling not working for root values
+ StdDeserializer rejects blank (all-whitespace) strings for ints +
'USE_BASE_TYPE_AS_DEFAULT_IMPL' not working with 'DefaultTypeResolverBuilder' +
Add PropertyNamingStrategies.UpperSnakeCaseStrategy (and UPPER_SNAKE_CASE
constant) + StackOverflowError when serializing JsonProcessingException +
Support for BCP 47 'java.util.Locale' serialization/deserialization + String
property deserializes null as "null" for JsonTypeInfo.As.EXISTING_PROPERTY +
Can not deserialize json to enum value with Object-/Array-valued input,
'@JsonCreator' + Fix to avoid problem with 'BigDecimalNode', scale of
'Integer.MIN_VALUE' + Extend handling of 'FAIL_ON_NULL_FOR_PRIMITIVES' to cover
coercion from (Empty) String via 'AsNull' + Add 'mvnw' wrapper + (regression)
Factory method generic type resolution does not use Class-bound type parameter
+ Deserialization of "empty" subtype with DEDUCTION failed + Merge
findInjectableValues() results in AnnotationIntrospectorPair +
READ_UNKNOWN_ENUM_VALUES_USING_DEFAULT_VALUE doesn't work with empty strings +
'TypeFactory' cannot convert 'Collection' sub-type without type parameters to
canonical form and back + Fix for [modules-java8#207]: prevent fail on
secondary Java 8 date/time types + EXTERNAL_PROPERTY does not work well with
'@JsonCreator' and 'FAIL_ON_UNKNOWN_PROPERTIES' + String property deserializes
null as "null" for 'JsonTypeInfo.As.EXTERNAL_PROPERTY' + Property ignorals
cause 'BeanDeserializer 'to forget how to read from arrays (not copying
'_arrayDelegateDeserializer') + UntypedObjectDeserializer' mixes multiple
unwrapped collections (related to #2733) + Two cases of incorrect error
reporting about DeserializationFeature + Bug in polymorphic deserialization
with '@JsonCreator', '@JsonAnySetter', 'JsonTypeInfo.As.EXTERNAL_PROPERTY' +
Polymorphic subtype deduction ignores 'defaultImpl' attribute +
MismatchedInputException: Cannot deserialize instance of
'com.fasterxml.jackson.databind.node.ObjectNode' out of VALUE_NULL token +
Missing override for 'hasAsKey()' in 'AnnotationIntrospectorPair' + Creator
lookup fails with 'InvalidDefinitionException' for conflict between
single-double/single-Double arg constructor + 'MapDeserializer' forcing
'JsonMappingException' wrapping even if WRAP_EXCEPTIONS set to false +
Auto-detection of constructor-based creator method skipped if there is an
annotated factory-based creator method (regression from 2.11) +
'ObjectMapper.treeToValue()' no longer invokes 'JsonDeserializer.getNullValue()
' + DeserializationProblemHandler is not invoked when trying to deserialize
String + Fix failing 'double' JsonCreators in jackson 2.12.0 + Conflicting in
POJOPropertiesCollector when having namingStrategy + Breaking API change in
'BasicClassIntrospector' (2.12.0) + 'JsonNode.requiredAt()' does NOT fail on
some path expressions + Exception thrown when 'Collections.synchronizedList()'
is serialized with type info, deserialized + Add option to resolve type from
multiple existing properties, '@JsonTypeInfo(use=DEDUCTION)' +
'@JsonIgnoreProperties' does not prevent Exception Conflicting getter/setter
definitions for property + Deserialization Not Working Right with Generic Types
and Builders + Add '@JsonIncludeProperties(propertyNames)' (reverse of
'@JsonIgnoreProperties') + '@JsonAnyGetter' should be allowed on a field +
Allow handling of single-arg constructor as property based by default + Allow
case insensitive deserialization of String value into 'boolean'/'Boolean' (esp
for Excel) + Allow use of '@JsonFormat(with=JsonFormat.Feature
.ACCEPT_CASE_INSENSITIVE_PROPERTIES)' on Class + Abstract class included as
part of known type ids for error message when using JsonSubTypes + Distinguish
null from empty string for UUID deserialization + 'ReferenceType' does not
expose valid containedType + Add 'CoercionConfig[s]' mechanism for configuring
allowed coercions + 'JsonProperty.Access.READ_ONLY' does not work with
"getter-as-setter" 'Collection's + Support 'BigInteger' and 'BigDecimal'
creators in 'StdValueInstantiator' + 'JsonProperty.Access.READ_ONLY' fails with
collections when a property name is specified + 'BigDecimal' precision not
retained for polymorphic deserialization + Support use of 'Void' valued
properties ('MapperFeature.ALLOW_VOID_VALUED_PROPERTIES') + Explicitly fail
(de)serialization of 'java.time.*' types in absence of registered custom (de)
serializers + Improve description included in by
'DeserializationContext.handleUnexpectedToken()' + Support for JDK 14 record
types ('java.lang.Record') + 'PropertyNamingStrategy' class initialization
depends on its subclass, this can lead to class loading deadlock +
'FAIL_ON_IGNORED_PROPERTIES' does not throw on 'READONLY' properties with an
explicit name + Add Gradle Module Metadata for version alignment with Gradle 6
+ Allow 'JsonNode' auto-convert into 'ArrayNode' if duplicates found (for XML)
+ Allow values of "untyped" auto-convert into 'List' if duplicates found (for
XML) + Add 'ValueInstantiator.createContextual(...) + Support multiple names in
'JsonSubType.Type' + Disabling 'FAIL_ON_INVALID_SUBTYPE' breaks polymorphic
deserialization of Enums + Explicitly fail (de)serialization of
'org.joda.time.*' types in absence of registered custom (de)serializers +
Trailing zeros are stripped when deserializing BigDecimal values inside a
@JsonUnwrapped property + Extract getter/setter/field name mangling from
'BeanUtil' into pluggable 'AccessorNamingStrategy' + Throw
'InvalidFormatException' instead of 'MismatchedInputException' for
ACCEPT_FLOAT_AS_INT coercion failures + Add '@JsonKey' annotation (similar to
'@JsonValue') for customizable serialization of Map keys +
'MapperFeature.ACCEPT_CASE_INSENSITIVE_ENUMS' should work for enum as keys +
Add support for disabling special handling of "Creator properties" wrt
alphabetic property ordering + Add 'JsonNode.canConvertToExactIntegral()' to
indicate whether floating-point/BigDecimal values could be converted to
integers losslessly + Improve static factory method generic type resolution
logic + Allow preventing "Enum from integer" coercion using new
'CoercionConfig' system + '@JsonValue' not considered when evaluating inclusion
+ Make some java platform modules optional + Add support for serializing
'java.sql.Blob' + 'AnnotatedCreatorCollector' should avoid processing synthetic
static (factory) methods + Add errorprone static analysis profile to detect
bugs at build time + Problem with implicit creator name detection for
constructor detection + Add 'BeanDeserializerBase.isCaseInsensitive()' +
Refactoring of 'CollectionDeserializer' to solve CSV array handling issues +
Full "LICENSE" included in jar for easier access by compliancy tools + Fix type
resolution for static methods (regression in 2.11.3) + '@JsonCreator' on
constructor not compatible with '@JsonIdentityInfo', 'PropertyGenerator' + Add
debug improvements about 'ClassUtil.getClassMethods()' + Cannot detect creator
arguments of mixins for JDK types + Add 'JsonFormat.Shape' awareness for UUID
serialization ('UUIDSerializer') + Json serialization fails or a specific case
that contains generics and static methods with generic parameters (2.11.1 ->
2.11.2 regression) + 'ObjectMapper.activateDefaultTypingAsProperty()' is not
using parameter 'PolymorphicTypeValidator' + Problem deserialization "raw
generic" fields (like 'Map') in 2.11.2 + Fix issues with
'MapLikeType.isTrueMapType()', 'CollectionLikeType.isTrueCollectionType()' +
Parser/Generator features not set when using 'ObjectMapper.createParser()',
'createGenerator()' + Polymorphic subtypes not registering on copied
ObjectMapper (2.11.1) + Failure to read AnnotatedField value in Jackson 2.11 +
'TypeFactory.constructType()' does not take 'TypeBindings' correctly + Builder
Deserialization with JsonCreator Value vs Array + JsonCreator on static method
in Enum and Enum used as key in map fails randomly + 'StdSubtypeResolver' is
not thread safe (possibly due to copy not being made with 'ObjectMapper.copy()
') + "Conflicting setter definitions for property" exception for 'Map' subtype
during deserialization + Fail to deserialize local Records + Rearranging of
props when property-based generator is in use leads to incorrect output +
Jackson doesn't respect 'CAN_OVERRIDE_ACCESS_MODIFIERS=false' for deserializer
properties + 'DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS' don't support
'Map' type field + JsonParser from MismatchedInputException cannot getText()
for floating-point value + i-I case conversion problem in Turkish locale with
case-insensitive deserialization + '@JsonInject' fails on trying to find
deserializer even if inject-only + Polymorphic deserialization should handle
case-insensitive Type Id property name if
'MapperFeature.ACCEPT_CASE_INSENSITIVE_PROPERTIES' is enabled +
TreeTraversingParser and UTF8StreamJsonParser create contexts differently +
Support use of '@JsonAlias' for enum values + 'declaringClass' of
"enum-as-POJO" not removed for 'ObjectMapper' with a naming strategy + Fix
'JavaType.isEnumType()' to support sub-classes + BeanDeserializerBuilder
Protected Factory Method for Extension + Support '@JsonSerialize(keyUsing)' and
'@JsonDeserialize(keyUsing)' on Key class + Add
'SerializationFeature.WRITE_SELF_REFERENCES_AS_NULL' +
'ObjectMapper.registerSubtypes(NamedType...)' doesn't allow registering same
POJO for two different type ids +
'DeserializationContext.handleMissingInstantiator()' throws
'MismatchedInputException' for non-static inner classes + Incorrect
'JsonStreamContext' for 'TokenBuffer' and 'TreeTraversingParser' + Add
'AnnotationIntrospector.findRenameByField()' to support Kotlin's "is-getter"
naming convention + Use '@JsonProperty(index)' for sorting properties on
serialization + Java 8 'Optional' not working with '@JsonUnwrapped' on
unwrappable type + Add 'MapperFeature.BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES' to
allow blocking use of unsafe base type for polymorphic deserialization +
'ObjectMapper.setSerializationInclusion()' is ignored for 'JsonAnyGetter' +
'ValueInstantiationException' when deserializing using a builder and
'UNWRAP_SINGLE_VALUE_ARRAYS' + JsonIgnoreProperties(ignoreUnknown = true) does
not work on field and method level + Failure to resolve generic type parameters
on serialization + JsonParser cannot getText() for input stream on
MismatchedInputException + ObjectReader readValue lacks Class argument + Change
default textual serialization of 'java.util.Date'/'Calendar' to include colon
in timezone offset + Add 'ObjectMapper.createParser()' and 'createGenerator()'
methods + Allow serialization of 'Properties' with non-String values + Add new
factory method for creating custom 'EnumValues' to pass to 'EnumDeserializer +
'IllegalArgumentException' thrown for mismatched subclass deserialization + Add
convenience methods for creating 'List', 'Map' valued 'ObjectReader's
(ObjectMapper.readerForListOf()) +
'SerializerProvider.findContentValueSerializer()' methods
jackson-dataformats-binary - update from version 2.10.1 to version 2.13.0:
+ (cbor) Should validate UTF-8 multi-byte validity for short decode path too +
(ion) Deprecate 'CloseSafeUTF8Writer', remove use + (smile) Make 'SmileFactory'
support 'JsonFactory.Feature.CANONICALIZE_FIELD_NAMES' + (cbor) Make
'CBORFactory' support 'JsonFactory.Feature.CANONICALIZE_FIELD_NAMES' + (cbor)
Handle case of BigDecimal with Integer.MIN_VALUE for scale gracefully + (cbor)
Uncaught exception in CBORParser._nextChunkedByte2 (by ossfuzzer) + (cbor)
Another uncaught exception in CBORParser._nextChunkedByte2 (by ossfuzzer) +
(smile) Add 'SmileGenerator.Feature.LENIENT_UTF_ENCODING' for lenient handling
of broken Unicode surrogate pairs on writing + (avro) Add 'logicalType' support
for some 'java.time' types; add 'AvroJavaTimeModule' for native ser/deser +
Support base64 strings in 'getBinaryValue()' for CBOR and Smile + (cbor)
'ArrayIndexOutOfBounds' for truncated UTF-8 name + (avro) Generate logicalType
switch + (smile) 'ArrayIndexOutOfBounds' for truncated UTF-8 name + (ion)
'jackson-dataformat-ion' does not handle null.struct deserialization correctly
+ 'Ion-java' dep 1.4.0 -> 1.8.0 + Minor change to Ion module registration names
(fully-qualified) + (cbor) Uncaught exception in CBORParser._nextChunkedByte2
(by ossfuzzer) + (cbor) Uncaught exception in
CBORParser._findDecodedFromSymbols() (by ossfuzzer) + (smile) Uncaught
validation problem wrt Smile "BigDecimal" type + (smile)
ArrayIndexOutOfBoundsException for malformed Smile header + (cbor) Failed to
handle case of alleged String with length of Integer.MAX_VALUE + (smile)
Allocate byte[] lazily for longer Smile binary data payloads + (cbor)
CBORParser need to validate zero-length byte[] for BigInteger + (smile) Handle
invalid chunked-binary-format length gracefully + (smile) Allocate byte[]
lazily for longer Smile binary data payloads (7-bit encoded) + (smile)
ArrayIndexOutOfBoundsException in SmileParser._decodeShortUnicodeValue() +
(smile) Handle sequence of Smile header markers without recursion + (cbor) CBOR
loses 'Map' entries with specific 'long' Map key values (32-bit boundary) +
(ion) Ion Polymorphic deserialization in 2.12 breaks wrt use of Native Type Ids
when upgrading from 2.8 + (cbor) 'ArrayIndexOutOfBoundsException' in
'CBORParser' for invalid UTF-8 String + (cbor) Handle invalid CBOR content like
'[0x84]' (incomplete array) + (ion) Respect 'WRITE_ENUMS_USING_TO_STRING' in
'EnumAsIonSymbolSerializer' + (ion) Add support for generating IonSexps + (ion)
Add support for deserializing IonTimestamps and IonBlobs + (ion) Add
'IonObjectMapper.builderForBinaryWriters()' / '.builderforTextualWriters()'
convenience methods + (ion) Enabling pretty-printing fails Ion serialization +
(ion) Allow disabling native type ids in IonMapper + (smile) Small bug in
byte-alignment for long field names in Smile, symbol table reuse + (ion) Add
'IonFactory.getIonSystem()' accessor + (ion) Optimize 'IonParser.getNumberType
()' using 'IonReader.getIntegerSize()' + (cbor) Add
'CBORGenerator.Feature.LENIENT_UTF_ENCODING' for lenient handling of Unicode
surrogate pairs on writing + (cbor) Add support for decoding unassigned "simple
values" (type 7) + Add Gradle Module Metadata (https://blog.gradle.org/
alignment-with-gradle-module-metadata) + (avro) Cache record names to avoid
hitting class loader + (avro) Avro null deserialization + (ion) Add
'IonFactory.getIonSystem()' accessor + (avro) Add
'AvroGenerator.canWriteBinaryNatively()' to support binary writes, fix
'java.util.UUID' representation + (ion) Allow 'IonObjectMapper' with class name
annotation introspector to deserialize generic subtypes + Remove dependencies
upon Jackson 1.X and Avro's JacksonUtils + 'jackson-databind' should not be
full dependency for (cbor, protobuf, smile) modules +
'CBORGenerator.Feature.WRITE_MINIMAL_INTS' does not write most compact form for
all integers + 'AvroGenerator' overrides 'getOutputContext()' properly + (ion)
Add 'IonFactory.getIonSystem()' accessor + (avro) Fix schema evolution
involving maps of non-scalar + (protobuf) Parsing a protobuf message doesn't
properly skip unknown fields + (ion) IonObjectMapper close()s the provided
IonWriter unnecessarily + ion-java dependency 1.4.0 -> 1.5.1

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation
methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

  o openSUSE Leap 15.4:
    zypper in -t patch openSUSE-SLE-15.4-2022-1678=1
  o openSUSE Leap 15.3:
    zypper in -t patch openSUSE-SLE-15.3-2022-1678=1
  o SUSE Manager Server 4.1:
    zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.1-2022-1678=1
  o SUSE Manager Retail Branch Server 4.1:
    zypper in -t patch
    SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.1-2022-1678=1
  o SUSE Manager Proxy 4.1:
    zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.1-2022-1678=1
  o SUSE Linux Enterprise Server for SAP 15-SP2:
    zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2022-1678=1
  o SUSE Linux Enterprise Server 15-SP2-LTSS:
    zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2022-1678=1
  o SUSE Linux Enterprise Server 15-SP2-BCL:
    zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-BCL-2022-1678=1
  o SUSE Linux Enterprise Realtime Extension 15-SP2:
    zypper in -t patch SUSE-SLE-Product-RT-15-SP2-2022-1678=1
  o SUSE Linux Enterprise Module for SUSE Manager Server 4.3:
    zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.3-2022-1678=1
  o SUSE Linux Enterprise Module for Development Tools 15-SP4:
    zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP4-2022-1678=1
  o SUSE Linux Enterprise Module for Development Tools 15-SP3:
    zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2022-1678=1
  o SUSE Linux Enterprise Module for Basesystem 15-SP4:
    zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2022-1678=1
  o SUSE Linux Enterprise Module for Basesystem 15-SP3:
    zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2022-1678=1
  o SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS:
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2022-1678=1
  o SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS:
    zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-ESPOS-2022-1678=1
  o SUSE Enterprise Storage 7:
    zypper in -t patch SUSE-Storage-7-2022-1678=1

Package List:

  o openSUSE Leap 15.4 (noarch):
       jackson-annotations-2.13.0-150200.3.6.1
       jackson-annotations-javadoc-2.13.0-150200.3.6.1
       jackson-bom-2.13.0-150200.3.3.1
       jackson-core-2.13.0-150200.3.6.1
       jackson-core-javadoc-2.13.0-150200.3.6.1
       jackson-databind-2.13.0-150200.3.9.1
       jackson-databind-javadoc-2.13.0-150200.3.9.1
       jackson-dataformat-cbor-2.13.0-150200.3.3.3
       jackson-dataformat-smile-2.13.0-150200.3.3.3
       jackson-dataformats-binary-2.13.0-150200.3.3.3
       jackson-dataformats-binary-javadoc-2.13.0-150200.3.3.3
  o openSUSE Leap 15.3 (noarch):
       jackson-annotations-2.13.0-150200.3.6.1
       jackson-annotations-javadoc-2.13.0-150200.3.6.1
       jackson-bom-2.13.0-150200.3.3.1
       jackson-core-2.13.0-150200.3.6.1
       jackson-core-javadoc-2.13.0-150200.3.6.1
       jackson-databind-2.13.0-150200.3.9.1
       jackson-databind-javadoc-2.13.0-150200.3.9.1
       jackson-dataformat-cbor-2.13.0-150200.3.3.3
       jackson-dataformat-smile-2.13.0-150200.3.3.3
       jackson-dataformats-binary-2.13.0-150200.3.3.3
       jackson-dataformats-binary-javadoc-2.13.0-150200.3.3.3
  o SUSE Manager Server 4.1 (noarch):
       jackson-annotations-2.13.0-150200.3.6.1
       jackson-core-2.13.0-150200.3.6.1
       jackson-databind-2.13.0-150200.3.9.1
       jackson-dataformat-cbor-2.13.0-150200.3.3.3
  o SUSE Manager Retail Branch Server 4.1 (noarch):
       jackson-annotations-2.13.0-150200.3.6.1
       jackson-core-2.13.0-150200.3.6.1
       jackson-databind-2.13.0-150200.3.9.1
       jackson-dataformat-cbor-2.13.0-150200.3.3.3
  o SUSE Manager Proxy 4.1 (noarch):
       jackson-annotations-2.13.0-150200.3.6.1
       jackson-core-2.13.0-150200.3.6.1
       jackson-databind-2.13.0-150200.3.9.1
       jackson-dataformat-cbor-2.13.0-150200.3.3.3
  o SUSE Linux Enterprise Server for SAP 15-SP2 (noarch):
       jackson-annotations-2.13.0-150200.3.6.1
       jackson-core-2.13.0-150200.3.6.1
       jackson-databind-2.13.0-150200.3.9.1
       jackson-dataformat-cbor-2.13.0-150200.3.3.3
  o SUSE Linux Enterprise Server 15-SP2-LTSS (noarch):
       jackson-annotations-2.13.0-150200.3.6.1
       jackson-core-2.13.0-150200.3.6.1
       jackson-databind-2.13.0-150200.3.9.1
       jackson-dataformat-cbor-2.13.0-150200.3.3.3
  o SUSE Linux Enterprise Server 15-SP2-BCL (noarch):
       jackson-annotations-2.13.0-150200.3.6.1
       jackson-core-2.13.0-150200.3.6.1
       jackson-databind-2.13.0-150200.3.9.1
       jackson-dataformat-cbor-2.13.0-150200.3.3.3
  o SUSE Linux Enterprise Realtime Extension 15-SP2 (noarch):
       jackson-annotations-2.13.0-150200.3.6.1
       jackson-core-2.13.0-150200.3.6.1
       jackson-databind-2.13.0-150200.3.9.1
       jackson-dataformat-cbor-2.13.0-150200.3.3.3
  o SUSE Linux Enterprise Module for SUSE Manager Server 4.3 (noarch):
       jackson-annotations-2.13.0-150200.3.6.1
       jackson-core-2.13.0-150200.3.6.1
       jackson-databind-2.13.0-150200.3.9.1
  o SUSE Linux Enterprise Module for Development Tools 15-SP4 (noarch):
       jackson-dataformat-cbor-2.13.0-150200.3.3.3
  o SUSE Linux Enterprise Module for Development Tools 15-SP3 (noarch):
       jackson-annotations-2.13.0-150200.3.6.1
       jackson-core-2.13.0-150200.3.6.1
       jackson-databind-2.13.0-150200.3.9.1
       jackson-dataformat-cbor-2.13.0-150200.3.3.3
  o SUSE Linux Enterprise Module for Basesystem 15-SP4 (noarch):
       jackson-annotations-2.13.0-150200.3.6.1
       jackson-core-2.13.0-150200.3.6.1
       jackson-databind-2.13.0-150200.3.9.1
  o SUSE Linux Enterprise Module for Basesystem 15-SP3 (noarch):
       jackson-annotations-2.13.0-150200.3.6.1
       jackson-annotations-javadoc-2.13.0-150200.3.6.1
       jackson-core-2.13.0-150200.3.6.1
       jackson-core-javadoc-2.13.0-150200.3.6.1
       jackson-databind-2.13.0-150200.3.9.1
       jackson-databind-javadoc-2.13.0-150200.3.9.1
  o SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (noarch):
       jackson-annotations-2.13.0-150200.3.6.1
       jackson-core-2.13.0-150200.3.6.1
       jackson-databind-2.13.0-150200.3.9.1
       jackson-dataformat-cbor-2.13.0-150200.3.3.3
  o SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (noarch):
       jackson-annotations-2.13.0-150200.3.6.1
       jackson-core-2.13.0-150200.3.6.1
       jackson-databind-2.13.0-150200.3.9.1
       jackson-dataformat-cbor-2.13.0-150200.3.3.3
  o SUSE Enterprise Storage 7 (noarch):
       jackson-annotations-2.13.0-150200.3.6.1
       jackson-core-2.13.0-150200.3.6.1
       jackson-databind-2.13.0-150200.3.9.1
       jackson-dataformat-cbor-2.13.0-150200.3.3.3


References:

  o https://www.suse.com/security/cve/CVE-2020-25649.html
  o https://www.suse.com/security/cve/CVE-2020-28491.html
  o https://www.suse.com/security/cve/CVE-2020-36518.html
  o https://bugzilla.suse.com/1177616
  o https://bugzilla.suse.com/1182481
  o https://bugzilla.suse.com/1197132

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBYoL1jckNZI30y1K9AQiQLxAAmcOjBkZk7HtZxy+J9oD3oRVwQ4ZriEFd
MrUXZAq5ObJixfGxFpa7apHMtv7T1FQrLfYU9PL1kdIy/qamC0z9HKU5OhDDcncQ
6yUPpyK6tiuRCtpvY4iU0wKeSnXdjRMLPkuq/TirPvmXGoWKuAJdlI/ioI6D5HzP
A2p6qEDXdorSero1BC+oNx91brDSl9WdskuUwQqJ5qGFqULPeNkMZiLmYQZvl0Fz
acY684yffNOjxMXMXIArGTgecAgVIxijet47IM2OImbIBRAhQRWhLe0t7b8Of54N
dEVQUViwVi9YY2n1vO3usjAbus9LEjLW+mrVDIIqxnYK1rjLPckhE4JxlDkS2jRI
A3jb1moRTRhyqKMgK3dS8eM9c8ZYnkXPTLFndrzyeyif0yOA88zZ5mI/hgq5ACzI
REiW51ST1bID69xr4Dao0ALllLWKiWrRkDvDLT8MV5mciUaR55K23LUDJVxko+o7
0L9EemPdXOCLYlixhmAW19hAbj46yarp9W4bwEVL9AFE6cJJn9sISijHp9lHbbA2
rZepGNq72nA42+BzzMlA62bIE7Q9ukhSDRG0Tjm4eElnAn3pNQy8qzVY2ENQZPh2
/pU277ZZrK3X+jj2dsH53Q27eiZe1Ca4xNR4+QCFs9fZphlXBL9ptfHsbahGbtLU
eTOyfH2+O50=
=lTt9
-----END PGP SIGNATURE-----