7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
An update that fixes three vulnerabilities is now available.
Description:
This update for jackson-databind, jackson-dataformats-binary,
jackson-annotations, jackson-bom, jackson-core fixes the following issues:
Security issues fixed:
java.lang.OutOfMemoryError
exception in jackson-dataformats-binary.Non security fixes:
jackson-annotations - update from version 2.10.2 to version 2.13.0:
+ Build with source/target levels 8
+ Add 'mvnw' wrapper
+ 'JsonSubType.Type' should accept array of names
+ Jackson version alignment with Gradle 6
+ Add '@JsonIncludeProperties'
+ Add '@JsonTypeInfo(use=DEDUCTION)'
+ Ability to use '@JsonAnyGetter' on fields
+ Add '@JsonKey' annotation
+ Allow repeated calls to 'SimpleObjectIdResolver.bindItem()' for same
mapping
+ Add 'namespace' property for '@JsonProperty' (for XML module)
+ Add target 'ElementType.ANNOTATION_TYPE' for '@JsonEnumDefaultValue'
+ 'JsonPattern.Value.pattern' retained as "", never (accidentally)
exposed as 'null'
+ Rewrite to use `ant` for building in order to be able to use it in
packages that have to be built before maven
jackson-bom - update from version 2.10.2 to version 2.13.0:
+ Configure moditect plugin with '<jvmVersion>11</jvmVersion>'
+ jackson-bom manages the version of 'junit:junit'
+ Drop 'jackson-datatype-hibernate3' (support for Hibernate 3.x
datatypes)
+ Removed "jakarta" classifier variants of JAXB/JSON-P/JAX-RS modules
due to the addition of new Jakarta artifacts (Jakarta-JSONP,
Jakarta-xmlbind-annotations, Jakarta-rs-providers)
+ Add version for 'jackson-datatype-jakarta-jsonp' module (introduced
after 2.12.2)
+ Add (beta) version for 'jackson-dataformat-toml'
+ Jakarta 9 artifact versions are missing from jackson-bom
+ Add default settings for 'gradle-module-metadata-maven-plugin'
(gradle metadata)
+ Add default settings for 'build-helper-maven-plugin'
+ Drop 'jackson-module-scala_2.10' entry (not released for Jackson 2.12
or later)
+ Add override for 'version.plugin.bundle' (for 5.1.1) to help build on
JDK 15+
+ Add missing version for jackson-datatype-eclipse-collections
jackson-core - update from version 2.10.2 to version 2.13.0:
+ Build with source and target levels 8
+ Misleading exception for input source when processing byte buffer
with start offset
+ Escape contents of source document snippet for
'JsonLocation._appendSourceDesc()'
+ Add 'StreamWriteException' type to eventually replace
'JsonGenerationException'
+ Replace 'getCurrentLocation()'/'getTokenLocation()' with
'currentLocation()'/'currentTokenLocation()' in 'JsonParser'
+ Replace 'JsonGenerator.writeObject()' (and related) with 'writePOJO()'
+ Replace 'getCurrentValue()'/'setCurrentValue()' with
'currentValue()'/'assignCurrentValue()' in 'JsonParser'/'JsonGenerator
+ Introduce O(n^1.5) BigDecimal parser implementation
+ ByteQuadsCanonicalizer.addName(String, int, int) has incorrect
handling for case of q2 == null
+ UTF32Reader ArrayIndexOutOfBoundsException
+ Improve exception/JsonLocation handling for binary content: don't
show content, include byte offset
+ Fix an issue with the TokenFilter unable to ignore properties when
deserializing.
+ Optimize array allocation by 'JsonStringEncoder'
+ Add 'mvnw' wrapper
+ (partial) Optimize array allocation by 'JsonStringEncoder'
+ Add back accidentally removed 'JsonStringEncoder' related methods in
'BufferRecyclers' (like 'getJsonStringEncoder()')
+ 'ArrayOutOfBoundException' at
'WriterBasedJsonGenerator.writeString(Reader, int)'
+ Allow "optional-padding" for 'Base64Variant'
+ More customizable TokenFilter inclusion (using
'Tokenfilter.Inclusion')
+ Publish Gradle Module Metadata
+ Add 'StreamReadCapability' for further format-based/format-agnostic
handling improvements
+ Add 'JsonParser.isExpectedNumberIntToken()' convenience method
+ Add 'StreamWriteCapability' for further format-based/format-agnostic
handling improvements
+ Add 'JsonParser.getNumberValueExact()' to allow precision-retaining
buffering
+ Limit initial allocated block size by 'ByteArrayBuilder' to max block
size
+ Add 'JacksonException' as parent class of 'JsonProcessingException'
+ Make 'JsonWriteContext.reset()' and 'JsonReadContext.reset()' methods
public
+ Deprecate 'JsonParser.getCurrentTokenId()' (use '#currentTokenId()'
instead)
+ Full "LICENSE" included in jar for easier access by compliancy tools
+ Fix NPE in 'writeNumber(String)' method of 'UTF8JsonGenerator',
'WriterBasedJsonGenerator'
+ Add a String Array write method in the Streaming API
+ Synchronize variants of 'JsonGenerator#writeNumberField' with
'JsonGenerator#writeNumber'
+ Add JsonGenerator#writeNumber(char[], int, int) method
+ Do not clear aggregated contents of 'TextBuffer' when
'releaseBuffers()' called
+ 'FilteringGeneratorDelegate' does not handle 'writeString(Reader,
int)'
+ Optionally allow leading decimal in float tokens
+ Rewrite to use ant for building in order to be able to use it in
packages that have to be built before maven
+ Parsing JSON with 'ALLOW_MISSING_VALUE' enabled results in endless
stream of 'VALUE_NULL' tokens
+ Handle case when system property access is restricted
+ 'FilteringGeneratorDelegate' does not handle 'writeString(Reader,
int)'
+ DataFormatMatcher#getMatchedFormatName throws NPE when no match exists
+ 'JsonParser.getCurrentLocation()' byte/char offset update incorrectly
for big payloads
jackson-databind - update from version 2.10.5.1 to version 2.13.0:
+ '@JsonValue' with integer for enum does not deserialize correctly
+ 'AnnotatedMethod.getValue()/setValue()' doesn't have useful exception
message
+ Add 'DatabindException' as intermediate subtype of
'JsonMappingException'
+ Jackson does not support deserializing new Java 9 unmodifiable
collections
+ Allocate TokenBuffer instance via context objects (to allow
format-specific buffer types)
+ Add mechanism for setting default 'ContextAttributes' for
'ObjectMapper'
+ Add 'DeserializationContext.readTreeAsValue()' methods for more
convenient conversions for deserializers to use
+ Clean up support of typed "unmodifiable", "singleton"
Maps/Sets/Collections
+ Extend internal bitfield of 'MapperFeature' to be 'long'
+ Add 'removeMixIn()' method in 'MapperBuilder'
+ Backport 'MapperBuilder' lambda-taking methods:
'withConfigOverride()', 'withCoercionConfig()',
'withCoercionConfigDefaults()'
+ configOverrides(boolean.class) silently ignored, whereas
.configOverride(Boolean.class) works for both primitives and boxed
boolean values
+ Dont track unknown props in buffer if 'ignoreAllUnknown' is true
+ Should allow deserialization of java.time types via
opaque 'JsonToken.VALUE_EMBEDDED_OBJECT'
+ Optimize "AnnotatedConstructor.call()" case by passing explicit null
+ Add AnnotationIntrospector.XmlExtensions interface for decoupling
javax dependencies
+ Custom SimpleModule not included in list returned by
ObjectMapper.getRegisteredModuleIds() after registration
+ Use more limiting default visibility settings for JDK types (java.*,
javax.*)
+ Deep merge for 'JsonNode' using 'ObjectReader.readTree()'
+ IllegalArgumentException: Conflicting setter definitions for property
with more than 2 setters
+ Serializing java.lang.Thread fails on JDK 11 and above
+ String-based 'Map' key deserializer is not deterministic when there
is no single arg constructor
+ Add ArrayNode#set(int index, primitive_type value)
+ JsonStreamContext "currentValue" wrongly references to
'@JsonTypeInfo' annotated object
+ DOM 'Node' serialization omits the default namespace declaration
+ Support 'suppressed' property when deserializing 'Throwable'
+ 'AnnotatedMember.equals()' does not work reliably
+ Add 'MapperFeature.APPLY_DEFAULT_VALUES', initially for Scala module
+ For an absent property Jackson injects 'NullNode' instead of 'null'
to a JsonNode-typed constructor argument of a
'@ConstructorProperties'-annotated constructor
+ 'XMLGregorianCalendar' doesn't work with default typing
+ Content 'null' handling not working for root values
+ StdDeserializer rejects blank (all-whitespace) strings for ints
+ 'USE_BASE_TYPE_AS_DEFAULT_IMPL' not working with
'DefaultTypeResolverBuilder'
+ Add PropertyNamingStrategies.UpperSnakeCaseStrategy (and
UPPER_SNAKE_CASE constant)
+ StackOverflowError when serializing JsonProcessingException
+ Support for BCP 47 'java.util.Locale' serialization/deserialization
+ String property deserializes null as "null" for
JsonTypeInfo.As.EXISTING_PROPERTY
+ Can not deserialize json to enum value with Object-/Array-valued
input, '@JsonCreator'
+ Fix to avoid problem with 'BigDecimalNode', scale of
'Integer.MIN_VALUE'
+ Extend handling of 'FAIL_ON_NULL_FOR_PRIMITIVES' to cover coercion
from (Empty) String via 'AsNull'
+ Add 'mvnw' wrapper
+ (regression) Factory method generic type resolution does not use
Class-bound type parameter
+ Deserialization of "empty" subtype with DEDUCTION failed
+ Merge findInjectableValues() results in AnnotationIntrospectorPair
+ READ_UNKNOWN_ENUM_VALUES_USING_DEFAULT_VALUE doesn't work with empty
strings
+ 'TypeFactory' cannot convert 'Collection' sub-type without type
parameters to canonical form and back
+ Fix for [modules-java8#207]: prevent fail on secondary Java 8
date/time types
+ EXTERNAL_PROPERTY does not work well with '@JsonCreator' and
'FAIL_ON_UNKNOWN_PROPERTIES'
+ String property deserializes null as "null" for
'JsonTypeInfo.As.EXTERNAL_PROPERTY'
+ Property ignorals cause 'BeanDeserializer 'to forget how to read from
arrays (not copying '_arrayDelegateDeserializer')
+ UntypedObjectDeserializer' mixes multiple unwrapped collections
(related to #2733)
+ Two cases of incorrect error reporting about DeserializationFeature
+ Bug in polymorphic deserialization with '@JsonCreator',
'@JsonAnySetter', 'JsonTypeInfo.As.EXTERNAL_PROPERTY'
+ Polymorphic subtype deduction ignores 'defaultImpl' attribute
+ MismatchedInputException: Cannot deserialize instance
of 'com.fasterxml.jackson.databind.node.ObjectNode' out of
VALUE_NULL token
+ Missing override for âhasAsKey()â in âAnnotationIntrospectorPairâ
+ Creator lookup fails with âInvalidDefinitionExceptionâ for conflict
between single-double/single-Double arg constructor
+ âMapDeserializerâ forcing âJsonMappingExceptionâ wrapping even if
WRAP_EXCEPTIONS set to false
+ Auto-detection of constructor-based creator method skipped if there
is an annotated factory-based creator method (regression from 2.11)
+ âObjectMapper.treeToValue()â no longer invokes
âJsonDeserializer.getNullValue()â
+ DeserializationProblemHandler is not invoked when trying to
deserialize String
+ Fix failing âdoubleâ JsonCreators in jackson 2.12.0
+ Conflicting in POJOPropertiesCollector when having namingStrategy
+ Breaking API change in âBasicClassIntrospectorâ (2.12.0)
+ âJsonNode.requiredAt()â does NOT fail on some path expressions
+ Exception thrown when âCollections.synchronizedList()â is serialized
with type info, deserialized
+ Add option to resolve type from multiple existing properties,
â@JsonTypeInfo(use=DEDUCTION)â
+ â@JsonIgnorePropertiesâ does not prevent Exception Conflicting
getter/setter definitions for property
+ Deserialization Not Working Right with Generic Types and Builders
+ Add â@JsonIncludeProperties(propertyNames)â (reverse of
â@JsonIgnorePropertiesâ)
+ â@JsonAnyGetterâ should be allowed on a field
+ Allow handling of single-arg constructor as property based by default
+ Allow case insensitive deserialization of String value into
âbooleanâ/âBooleanâ (esp for Excel)
+ Allow use of â@JsonFormat(with=JsonFormat.Feature
.ACCEPT_CASE_INSENSITIVE_PROPERTIES)â on Class
+ Abstract class included as part of known type ids for error message
when using JsonSubTypes
+ Distinguish null from empty string for UUID deserialization
+ âReferenceTypeâ does not expose valid containedType
+ Add âCoercionConfig[s]â mechanism for configuring allowed coercions
+ âJsonProperty.Access.READ_ONLYâ does not work with âgetter-as-setterâ
'Collectionâs
+ Support âBigIntegerâ and âBigDecimalâ creators in
âStdValueInstantiatorâ
+ âJsonProperty.Access.READ_ONLYâ fails with collections when a
property name is specified
+ âBigDecimalâ precision not retained for polymorphic deserialization
+ Support use of âVoidâ valued properties
(âMapperFeature.ALLOW_VOID_VALUED_PROPERTIESâ)
+ Explicitly fail (de)serialization of âjava.time.â types in absence
of registered custom (de)serializers
+ Improve description included in by
âDeserializationContext.handleUnexpectedToken()â
+ Support for JDK 14 record types (âjava.lang.Recordâ)
+ âPropertyNamingStrategyâ class initialization depends
on its subclass, this can lead to class loading deadlock
+ âFAIL_ON_IGNORED_PROPERTIESâ does not throw on âREADONLYâ properties
with an explicit name
+ Add Gradle Module Metadata for version alignment with Gradle 6
+ Allow âJsonNodeâ auto-convert into âArrayNodeâ if duplicates found
(for XML)
+ Allow values of âuntypedâ auto-convert into âListâ if duplicates
found (for XML)
+ Add 'ValueInstantiator.createContextual(âŠ)
+ Support multiple names in âJsonSubType.Typeâ
+ Disabling âFAIL_ON_INVALID_SUBTYPEâ breaks polymorphic
deserialization of Enums
+ Explicitly fail (de)serialization of 'org.joda.time.â types in
absence of registered custom (de)serializers
+ Trailing zeros are stripped when deserializing BigDecimal values
inside a @JsonUnwrapped property
+ Extract getter/setter/field name mangling from âBeanUtilâ into
pluggable âAccessorNamingStrategyâ
+ Throw âInvalidFormatExceptionâ instead of âMismatchedInputExceptionâ
for ACCEPT_FLOAT_AS_INT coercion failures
+ Add â@JsonKeyâ annotation (similar to â@JsonValueâ) for customizable
serialization of Map keys
+ âMapperFeature.ACCEPT_CASE_INSENSITIVE_ENUMSâ should work for enum as
keys
+ Add support for disabling special handling of âCreator propertiesâ
wrt alphabetic property ordering
+ Add âJsonNode.canConvertToExactIntegral()â to indicate whether
floating-point/BigDecimal values could be converted to integers
losslessly
+ Improve static factory method generic type resolution logic
+ Allow preventing âEnum from integerâ coercion using new
âCoercionConfigâ system
+ â@JsonValueâ not considered when evaluating inclusion
+ Make some java platform modules optional
+ Add support for serializing âjava.sql.Blobâ
+ âAnnotatedCreatorCollectorâ should avoid processing synthetic static
(factory) methods
+ Add errorprone static analysis profile to detect bugs at build time
+ Problem with implicit creator name detection for constructor detection
+ Add âBeanDeserializerBase.isCaseInsensitive()â
+ Refactoring of âCollectionDeserializerâ to solve CSV array handling
issues
+ Full âLICENSEâ included in jar for easier access by compliancy tools
+ Fix type resolution for static methods (regression in 2.11.3)
+ â@JsonCreatorâ on constructor not compatible with
â@JsonIdentityInfoâ, âPropertyGeneratorâ
+ Add debug improvements about âClassUtil.getClassMethods()â
+ Cannot detect creator arguments of mixins for JDK types
+ Add âJsonFormat.Shapeâ awareness for UUID serialization
(âUUIDSerializerâ)
+ Json serialization fails or a specific case that contains generics
and static methods with generic parameters (2.11.1 -> 2.11.2
regression)
+ âObjectMapper.activateDefaultTypingAsProperty()â is not using
parameter âPolymorphicTypeValidatorâ
+ Problem deserialization âraw genericâ fields (like âMapâ) in 2.11.2
+ Fix issues with âMapLikeType.isTrueMapType()â,
âCollectionLikeType.isTrueCollectionType()â
+ Parser/Generator features not set when using
âObjectMapper.createParser()â, âcreateGenerator()â
+ Polymorphic subtypes not registering on copied ObjectMapper (2.11.1)
+ Failure to read AnnotatedField value in Jackson 2.11
+ âTypeFactory.constructType()â does not take âTypeBindingsâ correctly
+ Builder Deserialization with JsonCreator Value vs Array
+ JsonCreator on static method in Enum and Enum used as key in map
fails randomly
+ âStdSubtypeResolverâ is not thread safe (possibly due to copy not
being made with âObjectMapper.copy()â)
+ âConflicting setter definitions for propertyâ exception for âMapâ
subtype during deserialization
+ Fail to deserialize local Records
+ Rearranging of props when property-based generator is in use leads to
incorrect output
+ Jackson doesnât respect âCAN_OVERRIDE_ACCESS_MODIFIERS=falseâ for
deserializer properties
+ âDeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYSâ donât support
âMapâ type field
+ JsonParser from MismatchedInputException cannot getText() for
floating-point value
+ i-I case conversion problem in Turkish locale with case-insensitive
deserialization
+ â@JsonInjectâ fails on trying to find deserializer even if inject-only
+ Polymorphic deserialization should handle case-insensitive Type Id
property name if âMapperFeature.ACCEPT_CASE_INSENSITIVE_PROPERTIESâ
is enabled
+ TreeTraversingParser and UTF8StreamJsonParser create contexts
differently
+ Support use of â@JsonAliasâ for enum values
+ âdeclaringClassâ of âenum-as-POJOâ not removed for âObjectMapperâ
with a naming strategy
+ Fix âJavaType.isEnumType()â to support sub-classes
+ BeanDeserializerBuilder Protected Factory Method for Extension
+ Support â@JsonSerialize(keyUsing)â and â@JsonDeserialize(keyUsing)â
on Key class
+ Add âSerializationFeature.WRITE_SELF_REFERENCES_AS_NULLâ
+ âObjectMapper.registerSubtypes(NamedTypeâŠ)â doesnât allow
registering same POJO for two different type ids
+ âDeserializationContext.handleMissingInstantiator()â throws
âMismatchedInputExceptionâ for non-static inner classes
+ Incorrect âJsonStreamContextâ for âTokenBufferâ and
âTreeTraversingParserâ
+ Add âAnnotationIntrospector.findRenameByField()â to support Kotlinâs
âis-getterâ naming convention
+ Use â@JsonProperty(index)â for sorting properties on serialization
+ Java 8 âOptionalâ not working with â@JsonUnwrappedâ on unwrappable
type
+ Add âMapperFeature.BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPESâ to allow
blocking use of unsafe base type for polymorphic deserialization
+ âObjectMapper.setSerializationInclusion()â is ignored for
âJsonAnyGetterâ
+ âValueInstantiationExceptionâ when deserializing using a builder and
âUNWRAP_SINGLE_VALUE_ARRAYSâ
+ JsonIgnoreProperties(ignoreUnknown = true) does not work on field and
method level
+ Failure to resolve generic type parameters on serialization
+ JsonParser cannot getText() for input stream on
MismatchedInputException
+ ObjectReader readValue lacks Class<T> argument
+ Change default textual serialization of âjava.util.Dateâ/âCalendarâ
to include colon in timezone
offset
+ Add âObjectMapper.createParser()â and âcreateGenerator()â methods
+ Allow serialization of âPropertiesâ with non-String values
+ Add new factory method for creating custom âEnumValuesâ to pass to
'EnumDeserializer
+ âIllegalArgumentExceptionâ thrown for mismatched subclass
deserialization
+ Add convenience methods for creating âListâ, âMapâ valued
'ObjectReaderâs (ObjectMapper.readerForListOf())
+ âSerializerProvider.findContentValueSerializer()â methods
jackson-dataformats-binary - update from version 2.10.1 to version 2.13.0:
+ (cbor) Should validate UTF-8 multi-byte validity for short decode
path too
+ (ion) Deprecate 'CloseSafeUTF8Writer', remove use
+ (smile) Make 'SmileFactory' support
'JsonFactory.Feature.CANONICALIZE_FIELD_NAMES'
+ (cbor) Make 'CBORFactory' support
'JsonFactory.Feature.CANONICALIZE_FIELD_NAMES'
+ (cbor) Handle case of BigDecimal with Integer.MIN_VALUE for scale
gracefully
+ (cbor) Uncaught exception in CBORParser._nextChunkedByte2 (by
ossfuzzer)
+ (cbor) Another uncaught exception in CBORParser._nextChunkedByte2 (by
ossfuzzer)
+ (smile) Add 'SmileGenerator.Feature.LENIENT_UTF_ENCODING' for lenient
handling of broken Unicode surrogate pairs on writing
+ (avro) Add 'logicalType' support for some 'java.time' types; add
'AvroJavaTimeModule' for native ser/deser
+ Support base64 strings in 'getBinaryValue()' for CBOR and Smile
+ (cbor) 'ArrayIndexOutOfBounds' for truncated UTF-8 name
+ (avro) Generate logicalType switch
+ (smile) 'ArrayIndexOutOfBounds' for truncated UTF-8 name
+ (ion) 'jackson-dataformat-ion' does not handle null.struct
deserialization correctly
+ 'Ion-java' dep 1.4.0 -> 1.8.0
+ Minor change to Ion module registration names (fully-qualified)
+ (cbor) Uncaught exception in CBORParser._nextChunkedByte2 (by
ossfuzzer)
+ (cbor) Uncaught exception in CBORParser._findDecodedFromSymbols() (by
ossfuzzer)
+ (smile) Uncaught validation problem wrt Smile "BigDecimal" type
+ (smile) ArrayIndexOutOfBoundsException for malformed Smile header
+ (cbor) Failed to handle case of alleged String with length of
Integer.MAX_VALUE
+ (smile) Allocate byte[] lazily for longer Smile binary data payloads
+ (cbor) CBORParser need to validate zero-length byte[] for BigInteger
+ (smile) Handle invalid chunked-binary-format length gracefully
+ (smile) Allocate byte[] lazily for longer Smile binary data payloads
(7-bit encoded)
+ (smile) ArrayIndexOutOfBoundsException in
SmileParser._decodeShortUnicodeValue()
+ (smile) Handle sequence of Smile header markers without recursion
+ (cbor) CBOR loses 'Map' entries with specific 'long' Map key values
(32-bit boundary)
+ (ion) Ion Polymorphic deserialization in 2.12 breaks wrt use of
Native Type Ids when upgrading from 2.8
+ (cbor) 'ArrayIndexOutOfBoundsException' in 'CBORParser' for invalid
UTF-8 String
+ (cbor) Handle invalid CBOR content like '[0x84]' (incomplete array)
+ (ion) Respect 'WRITE_ENUMS_USING_TO_STRING' in
'EnumAsIonSymbolSerializer'
+ (ion) Add support for generating IonSexps
+ (ion) Add support for deserializing IonTimestamps and IonBlobs
+ (ion) Add 'IonObjectMapper.builderForBinaryWriters()' /
'.builderforTextualWriters()' convenience methods
+ (ion) Enabling pretty-printing fails Ion serialization
+ (ion) Allow disabling native type ids in IonMapper
+ (smile) Small bug in byte-alignment for long field names in Smile,
symbol table reuse
+ (ion) Add 'IonFactory.getIonSystem()' accessor
+ (ion) Optimize 'IonParser.getNumberType()' using
'IonReader.getIntegerSize()'
+ (cbor) Add 'CBORGenerator.Feature.LENIENT_UTF_ENCODING' for lenient
handling of Unicode surrogate pairs on writing
+ (cbor) Add support for decoding unassigned "simple values" (type 7)
+ Add Gradle Module Metadata
(https://blog.gradle.org/alignment-with-gradle-module-metadata)
+ (avro) Cache record names to avoid hitting class loader
+ (avro) Avro null deserialization
+ (ion) Add 'IonFactory.getIonSystem()' accessor
+ (avro) Add 'AvroGenerator.canWriteBinaryNatively()' to support binary
writes, fix 'java.util.UUID' representation
+ (ion) Allow 'IonObjectMapper' with class name annotation introspector
to deserialize generic subtypes
+ Remove dependencies upon Jackson 1.X and Avro's JacksonUtils
+ 'jackson-databind' should not be full dependency for (cbor, protobuf,
smile) modules
+ 'CBORGenerator.Feature.WRITE_MINIMAL_INTS' does not write most
compact form for all integers
+ 'AvroGenerator' overrides 'getOutputContext()' properly
+ (ion) Add 'IonFactory.getIonSystem()' accessor
+ (avro) Fix schema evolution involving maps of non-scalar
+ (protobuf) Parsing a protobuf message doesn't properly skip unknown
fields
+ (ion) IonObjectMapper close()s the provided IonWriter unnecessarily
+ ion-java dependency 1.4.0 -> 1.5.1
Patch Instructions:
To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or âzypper patchâ.
Alternatively you can run the command listed for your product:
openSUSE Leap 15.4:
zypper in -t patch openSUSE-SLE-15.4-2022-1678=1
openSUSE Leap 15.3:
zypper in -t patch openSUSE-SLE-15.3-2022-1678=1
SUSE Manager Server 4.1:
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.1-2022-1678=1
SUSE Manager Retail Branch Server 4.1:
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.1-2022-1678=1
SUSE Manager Proxy 4.1:
zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.1-2022-1678=1
SUSE Linux Enterprise Server for SAP 15-SP2:
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2022-1678=1
SUSE Linux Enterprise Server 15-SP2-LTSS:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2022-1678=1
SUSE Linux Enterprise Server 15-SP2-BCL:
zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-BCL-2022-1678=1
SUSE Linux Enterprise Realtime Extension 15-SP2:
zypper in -t patch SUSE-SLE-Product-RT-15-SP2-2022-1678=1
SUSE Linux Enterprise Module for SUSE Manager Server 4.3:
zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.3-2022-1678=1
SUSE Linux Enterprise Module for Development Tools 15-SP4:
zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP4-2022-1678=1
SUSE Linux Enterprise Module for Development Tools 15-SP3:
zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2022-1678=1
SUSE Linux Enterprise Module for Basesystem 15-SP4:
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2022-1678=1
SUSE Linux Enterprise Module for Basesystem 15-SP3:
zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2022-1678=1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2022-1678=1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS:
zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-ESPOS-2022-1678=1
SUSE Enterprise Storage 7:
zypper in -t patch SUSE-Storage-7-2022-1678=1
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N