Security update for jackson-databind, jackson-dataformats-binary, jackson-annotations, jackson-bom, jackson-core (important)

An update that fixes three vulnerabilities is now available.

Description:

This update for jackson-databind, jackson-dataformats-binary,
jackson-annotations, jackson-bom, jackson-core fixes the following issues:

Security issues fixed:

• CVE-2020-36518: Fixed a Java stack overflow exception and denial of
  service via a large depth of nested objects in jackson-databind.
  (bsc#1197132)
• CVE-2020-25649: Fixed an insecure entity expansion in jackson-databind
  which was vulnerable to XML external entity (XXE). (bsc#1177616)
• CVE-2020-28491: Fixed a bug which could cause
  java.lang.OutOfMemoryError exception in jackson-dataformats-binary.
  (bsc#1182481)

Non security fixes:

jackson-annotations - update from version 2.10.2 to version 2.13.0:

  + Build with source/target levels 8
  + Add 'mvnw' wrapper
  + 'JsonSubType.Type' should accept array of names
  + Jackson version alignment with Gradle 6
  + Add '@JsonIncludeProperties'
  + Add '@JsonTypeInfo(use=DEDUCTION)'
  + Ability to use '@JsonAnyGetter' on fields
  + Add '@JsonKey' annotation
  + Allow repeated calls to 'SimpleObjectIdResolver.bindItem()' for same
    mapping
  + Add 'namespace' property for '@JsonProperty' (for XML module)
  + Add target 'ElementType.ANNOTATION_TYPE' for '@JsonEnumDefaultValue'
  + 'JsonPattern.Value.pattern' retained as "", never (accidentally)
    exposed as 'null'
  + Rewrite to use `ant` for building in order to be able to use it in
    packages that have to be built before maven

jackson-bom - update from version 2.10.2 to version 2.13.0:

  + Configure moditect plugin with '<jvmVersion>11</jvmVersion>'
  + jackson-bom manages the version of 'junit:junit'
  + Drop 'jackson-datatype-hibernate3' (support for Hibernate 3.x
    datatypes)
  + Removed "jakarta" classifier variants of JAXB/JSON-P/JAX-RS modules
    due to the addition of new Jakarta artifacts (Jakarta-JSONP,
    Jakarta-xmlbind-annotations, Jakarta-rs-providers)
  + Add version for 'jackson-datatype-jakarta-jsonp' module (introduced
    after 2.12.2)
  + Add (beta) version for 'jackson-dataformat-toml'
  + Jakarta 9 artifact versions are missing from jackson-bom
  + Add default settings for 'gradle-module-metadata-maven-plugin'
    (gradle metadata)
  + Add default settings for 'build-helper-maven-plugin'
  + Drop 'jackson-module-scala_2.10' entry (not released for Jackson 2.12
    or later)
  + Add override for 'version.plugin.bundle' (for 5.1.1) to help build on
    JDK 15+
  + Add missing version for jackson-datatype-eclipse-collections

jackson-core - update from version 2.10.2 to version 2.13.0:

  + Build with source and target levels 8
  + Misleading exception for input source when processing byte buffer
    with start offset
  + Escape contents of source document snippet for
    'JsonLocation._appendSourceDesc()'
  + Add 'StreamWriteException' type to eventually replace
    'JsonGenerationException'
  + Replace 'getCurrentLocation()'/'getTokenLocation()' with
    'currentLocation()'/'currentTokenLocation()' in 'JsonParser'
  + Replace 'JsonGenerator.writeObject()' (and related) with 'writePOJO()'
  + Replace 'getCurrentValue()'/'setCurrentValue()' with
    'currentValue()'/'assignCurrentValue()' in 'JsonParser'/'JsonGenerator
  + Introduce O(n^1.5) BigDecimal parser implementation
  + ByteQuadsCanonicalizer.addName(String, int, int) has incorrect
    handling for case of q2 == null
  + UTF32Reader ArrayIndexOutOfBoundsException
  + Improve exception/JsonLocation handling for binary content: don't
    show content, include byte offset
  + Fix an issue with the TokenFilter unable to ignore properties when
    deserializing.
  + Optimize array allocation by 'JsonStringEncoder'
  + Add 'mvnw' wrapper
  + (partial) Optimize array allocation by 'JsonStringEncoder'
  + Add back accidentally removed 'JsonStringEncoder' related methods in
    'BufferRecyclers' (like 'getJsonStringEncoder()')
  + 'ArrayOutOfBoundException' at
    'WriterBasedJsonGenerator.writeString(Reader, int)'
  + Allow "optional-padding" for 'Base64Variant'
  + More customizable TokenFilter inclusion (using
    'Tokenfilter.Inclusion')
  + Publish Gradle Module Metadata
  + Add 'StreamReadCapability' for further format-based/format-agnostic
    handling improvements
  + Add 'JsonParser.isExpectedNumberIntToken()' convenience method
  + Add 'StreamWriteCapability' for further format-based/format-agnostic
    handling improvements
  + Add 'JsonParser.getNumberValueExact()' to allow precision-retaining
    buffering
  + Limit initial allocated block size by 'ByteArrayBuilder' to max block
    size
  + Add 'JacksonException' as parent class of 'JsonProcessingException'
  + Make 'JsonWriteContext.reset()' and 'JsonReadContext.reset()' methods
    public
  + Deprecate 'JsonParser.getCurrentTokenId()' (use '#currentTokenId()'
    instead)
  + Full "LICENSE" included in jar for easier access by compliancy tools
  + Fix NPE in 'writeNumber(String)' method of 'UTF8JsonGenerator',
    'WriterBasedJsonGenerator'
  + Add a String Array write method in the Streaming API
  + Synchronize variants of 'JsonGenerator#writeNumberField' with
    'JsonGenerator#writeNumber'
  + Add JsonGenerator#writeNumber(char[], int, int) method
  + Do not clear aggregated contents of 'TextBuffer' when
    'releaseBuffers()' called
  + 'FilteringGeneratorDelegate' does not handle 'writeString(Reader,
    int)'
  + Optionally allow leading decimal in float tokens
  + Rewrite to use ant for building in order to be able to use it in
    packages that have to be built before maven
  + Parsing JSON with 'ALLOW_MISSING_VALUE' enabled results in endless
    stream of 'VALUE_NULL' tokens
  + Handle case when system property access is restricted
  + 'FilteringGeneratorDelegate' does not handle 'writeString(Reader,
    int)'
  + DataFormatMatcher#getMatchedFormatName throws NPE when no match exists
  + 'JsonParser.getCurrentLocation()' byte/char offset update incorrectly
    for big payloads

jackson-databind - update from version 2.10.5.1 to version 2.13.0:

  + '@JsonValue' with integer for enum does not deserialize correctly
  + 'AnnotatedMethod.getValue()/setValue()' doesn't have useful exception
    message
  + Add 'DatabindException' as intermediate subtype of
    'JsonMappingException'
  + Jackson does not support deserializing new Java 9 unmodifiable
    collections
  + Allocate TokenBuffer instance via context objects (to allow
    format-specific buffer types)
  + Add mechanism for setting default 'ContextAttributes' for
    'ObjectMapper'
  + Add 'DeserializationContext.readTreeAsValue()' methods for more
    convenient conversions for deserializers to use
  + Clean up support of typed "unmodifiable", "singleton"
    Maps/Sets/Collections
  + Extend internal bitfield of 'MapperFeature' to be 'long'
  + Add 'removeMixIn()' method in 'MapperBuilder'
  + Backport 'MapperBuilder' lambda-taking methods:
    'withConfigOverride()', 'withCoercionConfig()',
    'withCoercionConfigDefaults()'
  + configOverrides(boolean.class) silently ignored, whereas
    .configOverride(Boolean.class) works for both primitives and boxed
    boolean values
  + Dont track unknown props in buffer if 'ignoreAllUnknown' is true
  + Should allow deserialization of java.time types via
     opaque 'JsonToken.VALUE_EMBEDDED_OBJECT'
  + Optimize "AnnotatedConstructor.call()" case by passing explicit null
  + Add AnnotationIntrospector.XmlExtensions interface for decoupling
    javax dependencies
  + Custom SimpleModule not included in list returned by
    ObjectMapper.getRegisteredModuleIds() after registration
  + Use more limiting default visibility settings for JDK types (java.*,
    javax.*)
  + Deep merge for 'JsonNode' using 'ObjectReader.readTree()'
  + IllegalArgumentException: Conflicting setter definitions for property
    with more than 2 setters
  + Serializing java.lang.Thread fails on JDK 11 and above
  + String-based 'Map' key deserializer is not deterministic when there
    is no single arg constructor
  + Add ArrayNode#set(int index, primitive_type value)
  + JsonStreamContext "currentValue" wrongly references to
    '@JsonTypeInfo' annotated object
  + DOM 'Node' serialization omits the default namespace declaration
  + Support 'suppressed' property when deserializing 'Throwable'
  + 'AnnotatedMember.equals()' does not work reliably
  + Add 'MapperFeature.APPLY_DEFAULT_VALUES', initially for Scala module
  + For an absent property Jackson injects 'NullNode' instead of 'null'
    to a JsonNode-typed constructor argument of a
    '@ConstructorProperties'-annotated constructor
  + 'XMLGregorianCalendar' doesn't work with default typing
  + Content 'null' handling not working for root values
  + StdDeserializer rejects blank (all-whitespace) strings for ints
  + 'USE_BASE_TYPE_AS_DEFAULT_IMPL' not working with
    'DefaultTypeResolverBuilder'
  + Add PropertyNamingStrategies.UpperSnakeCaseStrategy (and
    UPPER_SNAKE_CASE constant)
  + StackOverflowError when serializing JsonProcessingException
  + Support for BCP 47 'java.util.Locale' serialization/deserialization
  + String property deserializes null as "null" for
    JsonTypeInfo.As.EXISTING_PROPERTY
  + Can not deserialize json to enum value with Object-/Array-valued
    input, '@JsonCreator'
  + Fix to avoid problem with 'BigDecimalNode', scale of
    'Integer.MIN_VALUE'
  + Extend handling of 'FAIL_ON_NULL_FOR_PRIMITIVES' to cover coercion
    from (Empty) String via 'AsNull'
  + Add 'mvnw' wrapper
  + (regression) Factory method generic type resolution does not use
    Class-bound type parameter
  + Deserialization of "empty" subtype with DEDUCTION failed
  + Merge findInjectableValues() results in AnnotationIntrospectorPair
  + READ_UNKNOWN_ENUM_VALUES_USING_DEFAULT_VALUE doesn't work with empty
    strings
  + 'TypeFactory' cannot convert 'Collection' sub-type without type
    parameters to canonical form and back
   + Fix for [modules-java8#207]: prevent fail on secondary Java 8
     date/time types
  + EXTERNAL_PROPERTY does not work well with '@JsonCreator' and
    'FAIL_ON_UNKNOWN_PROPERTIES'
  + String property deserializes null as "null" for
    'JsonTypeInfo.As.EXTERNAL_PROPERTY'
  + Property ignorals cause 'BeanDeserializer 'to forget how to read from
    arrays (not copying '_arrayDelegateDeserializer')
  + UntypedObjectDeserializer' mixes multiple unwrapped collections
    (related to #2733)
  + Two cases of incorrect error reporting about DeserializationFeature
  + Bug in polymorphic deserialization with '@JsonCreator',
    '@JsonAnySetter', 'JsonTypeInfo.As.EXTERNAL_PROPERTY'
  + Polymorphic subtype deduction ignores 'defaultImpl' attribute
  + MismatchedInputException: Cannot deserialize instance
     of 'com.fasterxml.jackson.databind.node.ObjectNode' out of

VALUE_NULL token
+ Missing override for ‘hasAsKey()’ in ‘AnnotationIntrospectorPair’
+ Creator lookup fails with ‘InvalidDefinitionException’ for conflict
between single-double/single-Double arg constructor
+ ‘MapDeserializer’ forcing ‘JsonMappingException’ wrapping even if
WRAP_EXCEPTIONS set to false
+ Auto-detection of constructor-based creator method skipped if there
is an annotated factory-based creator method (regression from 2.11)
+ ‘ObjectMapper.treeToValue()’ no longer invokes
‘JsonDeserializer.getNullValue()’
+ DeserializationProblemHandler is not invoked when trying to
deserialize String
+ Fix failing ‘double’ JsonCreators in jackson 2.12.0
+ Conflicting in POJOPropertiesCollector when having namingStrategy
+ Breaking API change in ‘BasicClassIntrospector’ (2.12.0)
+ ‘JsonNode.requiredAt()’ does NOT fail on some path expressions
+ Exception thrown when ‘Collections.synchronizedList()’ is serialized
with type info, deserialized
+ Add option to resolve type from multiple existing properties,
‘@JsonTypeInfo(use=DEDUCTION)’
+ ‘@JsonIgnoreProperties’ does not prevent Exception Conflicting
getter/setter definitions for property
+ Deserialization Not Working Right with Generic Types and Builders
+ Add ‘@JsonIncludeProperties(propertyNames)’ (reverse of
‘@JsonIgnoreProperties’)
+ ‘@JsonAnyGetter’ should be allowed on a field
+ Allow handling of single-arg constructor as property based by default
+ Allow case insensitive deserialization of String value into
‘boolean’/‘Boolean’ (esp for Excel)
+ Allow use of ‘@JsonFormat(with=JsonFormat.Feature
.ACCEPT_CASE_INSENSITIVE_PROPERTIES)’ on Class
+ Abstract class included as part of known type ids for error message
when using JsonSubTypes
+ Distinguish null from empty string for UUID deserialization
+ ‘ReferenceType’ does not expose valid containedType
+ Add ‘CoercionConfig[s]’ mechanism for configuring allowed coercions
+ ‘JsonProperty.Access.READ_ONLY’ does not work with “getter-as-setter”
'Collection’s
+ Support ‘BigInteger’ and ‘BigDecimal’ creators in
‘StdValueInstantiator’
+ ‘JsonProperty.Access.READ_ONLY’ fails with collections when a
property name is specified
+ ‘BigDecimal’ precision not retained for polymorphic deserialization
+ Support use of ‘Void’ valued properties
(‘MapperFeature.ALLOW_VOID_VALUED_PROPERTIES’)
+ Explicitly fail (de)serialization of ‘java.time.’ types in absence
of registered custom (de)serializers
+ Improve description included in by
‘DeserializationContext.handleUnexpectedToken()’
+ Support for JDK 14 record types (‘java.lang.Record’)
+ ‘PropertyNamingStrategy’ class initialization depends
on its subclass, this can lead to class loading deadlock
+ ‘FAIL_ON_IGNORED_PROPERTIES’ does not throw on ‘READONLY’ properties
with an explicit name
+ Add Gradle Module Metadata for version alignment with Gradle 6
+ Allow ‘JsonNode’ auto-convert into ‘ArrayNode’ if duplicates found
(for XML)
+ Allow values of “untyped” auto-convert into ‘List’ if duplicates
found (for XML)
+ Add 'ValueInstantiator.createContextual(…)
+ Support multiple names in ‘JsonSubType.Type’
+ Disabling ‘FAIL_ON_INVALID_SUBTYPE’ breaks polymorphic
deserialization of Enums
+ Explicitly fail (de)serialization of 'org.joda.time.’ types in
absence of registered custom (de)serializers
+ Trailing zeros are stripped when deserializing BigDecimal values
inside a @JsonUnwrapped property
+ Extract getter/setter/field name mangling from ‘BeanUtil’ into
pluggable ‘AccessorNamingStrategy’
+ Throw ‘InvalidFormatException’ instead of ‘MismatchedInputException’
for ACCEPT_FLOAT_AS_INT coercion failures
+ Add ‘@JsonKey’ annotation (similar to ‘@JsonValue’) for customizable
serialization of Map keys
+ ‘MapperFeature.ACCEPT_CASE_INSENSITIVE_ENUMS’ should work for enum as
keys
+ Add support for disabling special handling of “Creator properties”
wrt alphabetic property ordering
+ Add ‘JsonNode.canConvertToExactIntegral()’ to indicate whether
floating-point/BigDecimal values could be converted to integers
losslessly
+ Improve static factory method generic type resolution logic
+ Allow preventing “Enum from integer” coercion using new
‘CoercionConfig’ system
+ ‘@JsonValue’ not considered when evaluating inclusion
+ Make some java platform modules optional
+ Add support for serializing ‘java.sql.Blob’
+ ‘AnnotatedCreatorCollector’ should avoid processing synthetic static
(factory) methods
+ Add errorprone static analysis profile to detect bugs at build time
+ Problem with implicit creator name detection for constructor detection
+ Add ‘BeanDeserializerBase.isCaseInsensitive()’
+ Refactoring of ‘CollectionDeserializer’ to solve CSV array handling
issues
+ Full “LICENSE” included in jar for easier access by compliancy tools
+ Fix type resolution for static methods (regression in 2.11.3)
+ ‘@JsonCreator’ on constructor not compatible with
‘@JsonIdentityInfo’, ‘PropertyGenerator’
+ Add debug improvements about ‘ClassUtil.getClassMethods()’
+ Cannot detect creator arguments of mixins for JDK types
+ Add ‘JsonFormat.Shape’ awareness for UUID serialization
(‘UUIDSerializer’)
+ Json serialization fails or a specific case that contains generics
and static methods with generic parameters (2.11.1 -> 2.11.2
regression)
+ ‘ObjectMapper.activateDefaultTypingAsProperty()’ is not using
parameter ‘PolymorphicTypeValidator’
+ Problem deserialization “raw generic” fields (like ‘Map’) in 2.11.2
+ Fix issues with ‘MapLikeType.isTrueMapType()’,
‘CollectionLikeType.isTrueCollectionType()’
+ Parser/Generator features not set when using
‘ObjectMapper.createParser()’, ‘createGenerator()’
+ Polymorphic subtypes not registering on copied ObjectMapper (2.11.1)
+ Failure to read AnnotatedField value in Jackson 2.11
+ ‘TypeFactory.constructType()’ does not take ‘TypeBindings’ correctly
+ Builder Deserialization with JsonCreator Value vs Array
+ JsonCreator on static method in Enum and Enum used as key in map
fails randomly
+ ‘StdSubtypeResolver’ is not thread safe (possibly due to copy not
being made with ‘ObjectMapper.copy()’)
+ “Conflicting setter definitions for property” exception for ‘Map’
subtype during deserialization
+ Fail to deserialize local Records
+ Rearranging of props when property-based generator is in use leads to
incorrect output
+ Jackson doesn’t respect ‘CAN_OVERRIDE_ACCESS_MODIFIERS=false’ for
deserializer properties
+ ‘DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS’ don’t support
‘Map’ type field
+ JsonParser from MismatchedInputException cannot getText() for
floating-point value
+ i-I case conversion problem in Turkish locale with case-insensitive
deserialization
+ ‘@JsonInject’ fails on trying to find deserializer even if inject-only
+ Polymorphic deserialization should handle case-insensitive Type Id
property name if ‘MapperFeature.ACCEPT_CASE_INSENSITIVE_PROPERTIES’
is enabled
+ TreeTraversingParser and UTF8StreamJsonParser create contexts
differently
+ Support use of ‘@JsonAlias’ for enum values
+ ‘declaringClass’ of “enum-as-POJO” not removed for ‘ObjectMapper’
with a naming strategy
+ Fix ‘JavaType.isEnumType()’ to support sub-classes
+ BeanDeserializerBuilder Protected Factory Method for Extension
+ Support ‘@JsonSerialize(keyUsing)’ and ‘@JsonDeserialize(keyUsing)’
on Key class
+ Add ‘SerializationFeature.WRITE_SELF_REFERENCES_AS_NULL’
+ ‘ObjectMapper.registerSubtypes(NamedType…)’ doesn’t allow
registering same POJO for two different type ids
+ ‘DeserializationContext.handleMissingInstantiator()’ throws
‘MismatchedInputException’ for non-static inner classes
+ Incorrect ‘JsonStreamContext’ for ‘TokenBuffer’ and
‘TreeTraversingParser’
+ Add ‘AnnotationIntrospector.findRenameByField()’ to support Kotlin’s
“is-getter” naming convention
+ Use ‘@JsonProperty(index)’ for sorting properties on serialization
+ Java 8 ‘Optional’ not working with ‘@JsonUnwrapped’ on unwrappable
type
+ Add ‘MapperFeature.BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES’ to allow
blocking use of unsafe base type for polymorphic deserialization
+ ‘ObjectMapper.setSerializationInclusion()’ is ignored for
‘JsonAnyGetter’
+ ‘ValueInstantiationException’ when deserializing using a builder and
‘UNWRAP_SINGLE_VALUE_ARRAYS’
+ JsonIgnoreProperties(ignoreUnknown = true) does not work on field and
method level
+ Failure to resolve generic type parameters on serialization
+ JsonParser cannot getText() for input stream on
MismatchedInputException
+ ObjectReader readValue lacks Class<T> argument
+ Change default textual serialization of ‘java.util.Date’/‘Calendar’
to include colon in timezone
offset
+ Add ‘ObjectMapper.createParser()’ and ‘createGenerator()’ methods
+ Allow serialization of ‘Properties’ with non-String values
+ Add new factory method for creating custom ‘EnumValues’ to pass to
'EnumDeserializer
+ ‘IllegalArgumentException’ thrown for mismatched subclass
deserialization
+ Add convenience methods for creating ‘List’, ‘Map’ valued
'ObjectReader’s (ObjectMapper.readerForListOf())
+ ‘SerializerProvider.findContentValueSerializer()’ methods

jackson-dataformats-binary - update from version 2.10.1 to version 2.13.0:

  + (cbor) Should validate UTF-8 multi-byte validity for short decode
    path too
  + (ion) Deprecate 'CloseSafeUTF8Writer', remove use
  + (smile) Make 'SmileFactory' support
    'JsonFactory.Feature.CANONICALIZE_FIELD_NAMES'
  + (cbor) Make 'CBORFactory' support
    'JsonFactory.Feature.CANONICALIZE_FIELD_NAMES'
  + (cbor) Handle case of BigDecimal with Integer.MIN_VALUE for scale
    gracefully
  + (cbor) Uncaught exception in CBORParser._nextChunkedByte2 (by
    ossfuzzer)
  + (cbor) Another uncaught exception in CBORParser._nextChunkedByte2 (by
    ossfuzzer)
  + (smile) Add 'SmileGenerator.Feature.LENIENT_UTF_ENCODING' for lenient
    handling of broken Unicode surrogate pairs on writing
  + (avro) Add 'logicalType' support for some 'java.time' types; add
    'AvroJavaTimeModule' for native ser/deser
  + Support base64 strings in 'getBinaryValue()' for CBOR and Smile
  + (cbor) 'ArrayIndexOutOfBounds' for truncated UTF-8 name
  + (avro) Generate logicalType switch
  + (smile) 'ArrayIndexOutOfBounds' for truncated UTF-8 name
  + (ion) 'jackson-dataformat-ion' does not handle null.struct
    deserialization correctly
  + 'Ion-java' dep 1.4.0 -> 1.8.0
  + Minor change to Ion module registration names (fully-qualified)
  + (cbor) Uncaught exception in CBORParser._nextChunkedByte2 (by
    ossfuzzer)
  + (cbor) Uncaught exception in CBORParser._findDecodedFromSymbols() (by
    ossfuzzer)
  + (smile) Uncaught validation problem wrt Smile "BigDecimal" type
  + (smile) ArrayIndexOutOfBoundsException for malformed Smile header
  + (cbor) Failed to handle case of alleged String with length of
    Integer.MAX_VALUE
  + (smile) Allocate byte[] lazily for longer Smile binary data payloads
  + (cbor) CBORParser need to validate zero-length byte[] for BigInteger
  + (smile) Handle invalid chunked-binary-format length gracefully
  + (smile) Allocate byte[] lazily for longer Smile binary data payloads
    (7-bit encoded)
  + (smile)  ArrayIndexOutOfBoundsException in
    SmileParser._decodeShortUnicodeValue()
  + (smile) Handle sequence of Smile header markers without recursion
  + (cbor) CBOR loses 'Map' entries with specific 'long' Map key values
    (32-bit boundary)
  + (ion) Ion Polymorphic deserialization in 2.12 breaks wrt use of
    Native Type Ids when upgrading from 2.8
  + (cbor) 'ArrayIndexOutOfBoundsException' in 'CBORParser' for invalid
    UTF-8 String
  + (cbor) Handle invalid CBOR content like '[0x84]' (incomplete array)
  + (ion) Respect 'WRITE_ENUMS_USING_TO_STRING' in
    'EnumAsIonSymbolSerializer'
  + (ion) Add support for generating IonSexps
  + (ion) Add support for deserializing IonTimestamps and IonBlobs
  + (ion) Add 'IonObjectMapper.builderForBinaryWriters()' /
    '.builderforTextualWriters()' convenience methods
  + (ion) Enabling pretty-printing fails Ion serialization
  + (ion) Allow disabling native type ids in IonMapper
  + (smile) Small bug in byte-alignment for long field names in Smile,
    symbol table reuse
  + (ion) Add 'IonFactory.getIonSystem()' accessor
  + (ion) Optimize 'IonParser.getNumberType()' using
    'IonReader.getIntegerSize()'
  + (cbor) Add 'CBORGenerator.Feature.LENIENT_UTF_ENCODING' for lenient
    handling of Unicode surrogate pairs on writing
  + (cbor) Add support for decoding unassigned "simple values" (type 7)
  + Add Gradle Module Metadata
    (https://blog.gradle.org/alignment-with-gradle-module-metadata)
  + (avro) Cache record names to avoid hitting class loader
  + (avro) Avro null deserialization
  + (ion) Add 'IonFactory.getIonSystem()' accessor
  + (avro) Add 'AvroGenerator.canWriteBinaryNatively()' to support binary
    writes, fix 'java.util.UUID' representation
  + (ion) Allow 'IonObjectMapper' with class name annotation introspector
    to deserialize generic subtypes
  + Remove dependencies upon Jackson 1.X and Avro's JacksonUtils
  + 'jackson-databind' should not be full dependency for (cbor, protobuf,
    smile) modules
  + 'CBORGenerator.Feature.WRITE_MINIMAL_INTS' does not write most
    compact form for all integers
  + 'AvroGenerator' overrides 'getOutputContext()' properly
  + (ion) Add 'IonFactory.getIonSystem()' accessor
  + (avro) Fix schema evolution involving maps of non-scalar
  + (protobuf) Parsing a protobuf message doesn't properly skip unknown
    fields
  + (ion) IonObjectMapper close()s the provided IonWriter unnecessarily
  + ion-java dependency 1.4.0 -> 1.5.1

Patch Instructions:

To install this SUSE Security Update use the SUSE recommended installation methods
like YaST online_update or “zypper patch”.

Alternatively you can run the command listed for your product:

• openSUSE Leap 15.4:

  zypper in -t patch openSUSE-SLE-15.4-2022-1678=1

• openSUSE Leap 15.3:

  zypper in -t patch openSUSE-SLE-15.3-2022-1678=1

• SUSE Manager Server 4.1:

  zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.1-2022-1678=1

• SUSE Manager Retail Branch Server 4.1:

  zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Retail-Branch-Server-4.1-2022-1678=1

• SUSE Manager Proxy 4.1:

  zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Proxy-4.1-2022-1678=1

• SUSE Linux Enterprise Server for SAP 15-SP2:

  zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2022-1678=1

• SUSE Linux Enterprise Server 15-SP2-LTSS:

  zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2022-1678=1

• SUSE Linux Enterprise Server 15-SP2-BCL:

  zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-BCL-2022-1678=1

• SUSE Linux Enterprise Realtime Extension 15-SP2:

  zypper in -t patch SUSE-SLE-Product-RT-15-SP2-2022-1678=1

• SUSE Linux Enterprise Module for SUSE Manager Server 4.3:

  zypper in -t patch SUSE-SLE-Module-SUSE-Manager-Server-4.3-2022-1678=1

• SUSE Linux Enterprise Module for Development Tools 15-SP4:

  zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP4-2022-1678=1

• SUSE Linux Enterprise Module for Development Tools 15-SP3:

  zypper in -t patch SUSE-SLE-Module-Development-Tools-15-SP3-2022-1678=1

• SUSE Linux Enterprise Module for Basesystem 15-SP4:

  zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP4-2022-1678=1

• SUSE Linux Enterprise Module for Basesystem 15-SP3:

  zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2022-1678=1

• SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS:

  zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2022-1678=1

• SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS:

  zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-ESPOS-2022-1678=1

• SUSE Enterprise Storage 7:

  zypper in -t patch SUSE-Storage-7-2022-1678=1