SUSE-SU-2022:1678-1

This update for jackson-databind, jackson-dataformats-binary, jackson-annotations, jackson-bom, jackson-core fixes the following issues:

Security issues fixed:

CVE-2020-36518: Fixed a Java stack overflow exception and denial of service via a large depth of nested objects in jackson-databind. (bsc#1197132)
CVE-2020-25649: Fixed an insecure entity expansion in jackson-databind which was vulnerable to XML external entity (XXE). (bsc#1177616)
CVE-2020-28491: Fixed a bug which could cause java.lang.OutOfMemoryError exception in jackson-dataformats-binary. (bsc#1182481)

Non security fixes:

jackson-annotations - update from version 2.10.2 to version 2.13.0:

Build with source/target levels 8
Add 'mvnw' wrapper
'JsonSubType.Type' should accept array of names
Jackson version alignment with Gradle 6
Add '@JsonIncludeProperties'
Add '@JsonTypeInfo(use=DEDUCTION)'
Ability to use '@JsonAnyGetter' on fields
Add '@JsonKey' annotation
Allow repeated calls to 'SimpleObjectIdResolver.bindItem()' for same mapping
Add 'namespace' property for '@JsonProperty' (for XML module)
Add target 'ElementType.ANNOTATION_TYPE' for '@JsonEnumDefaultValue'
'JsonPattern.Value.pattern' retained as '', never (accidentally) exposed as 'null'
Rewrite to use ant for building in order to be able to use it in packages that have to be built before maven

jackson-bom - update from version 2.10.2 to version 2.13.0:

Configure moditect plugin with '<jvmVersion>11</jvmVersion>'
jackson-bom manages the version of 'junit:junit'
Drop 'jackson-datatype-hibernate3' (support for Hibernate 3.x datatypes)
Removed 'jakarta' classifier variants of JAXB/JSON-P/JAX-RS modules due to the addition of new Jakarta artifacts (Jakarta-JSONP, Jakarta-xmlbind-annotations, Jakarta-rs-providers)
Add version for 'jackson-datatype-jakarta-jsonp' module (introduced after 2.12.2)
Add (beta) version for 'jackson-dataformat-toml'
Jakarta 9 artifact versions are missing from jackson-bom
Add default settings for 'gradle-module-metadata-maven-plugin' (gradle metadata)
Add default settings for 'build-helper-maven-plugin'
Drop 'jackson-module-scala_2.10' entry (not released for Jackson 2.12 or later)
Add override for 'version.plugin.bundle' (for 5.1.1) to help build on JDK 15+
Add missing version for jackson-datatype-eclipse-collections

jackson-core - update from version 2.10.2 to version 2.13.0:

Build with source and target levels 8
Misleading exception for input source when processing byte buffer with start offset
Escape contents of source document snippet for 'JsonLocation._appendSourceDesc()'
Add 'StreamWriteException' type to eventually replace 'JsonGenerationException'
Replace 'getCurrentLocation()'/'getTokenLocation()' with 'currentLocation()'/'currentTokenLocation()' in 'JsonParser'
Replace 'JsonGenerator.writeObject()' (and related) with 'writePOJO()'
Replace 'getCurrentValue()'/'setCurrentValue()' with 'currentValue()'/'assignCurrentValue()' in 'JsonParser'/'JsonGenerator
Introduce O(n^1.5) BigDecimal parser implementation
ByteQuadsCanonicalizer.addName(String, int, int) has incorrect handling for case of q2 == null
UTF32Reader ArrayIndexOutOfBoundsException
Improve exception/JsonLocation handling for binary content: don't show content, include byte offset
Fix an issue with the TokenFilter unable to ignore properties when deserializing.
Optimize array allocation by 'JsonStringEncoder'
Add 'mvnw' wrapper
(partial) Optimize array allocation by 'JsonStringEncoder'
Add back accidentally removed 'JsonStringEncoder' related methods in 'BufferRecyclers' (like 'getJsonStringEncoder()')
'ArrayOutOfBoundException' at 'WriterBasedJsonGenerator.writeString(Reader, int)'
Allow 'optional-padding' for 'Base64Variant'
More customizable TokenFilter inclusion (using 'Tokenfilter.Inclusion')
Publish Gradle Module Metadata
Add 'StreamReadCapability' for further format-based/format-agnostic handling improvements
Add 'JsonParser.isExpectedNumberIntToken()' convenience method
Add 'StreamWriteCapability' for further format-based/format-agnostic handling improvements
Add 'JsonParser.getNumberValueExact()' to allow precision-retaining buffering
Limit initial allocated block size by 'ByteArrayBuilder' to max block size
Add 'JacksonException' as parent class of 'JsonProcessingException'
Make 'JsonWriteContext.reset()' and 'JsonReadContext.reset()' methods public
Deprecate 'JsonParser.getCurrentTokenId()' (use '#currentTokenId()' instead)
Full 'LICENSE' included in jar for easier access by compliancy tools
Fix NPE in 'writeNumber(String)' method of 'UTF8JsonGenerator', 'WriterBasedJsonGenerator'
Add a String Array write method in the Streaming API
Synchronize variants of 'JsonGenerator#writeNumberField' with 'JsonGenerator#writeNumber'
Add JsonGenerator#writeNumber(char[], int, int) method
Do not clear aggregated contents of 'TextBuffer' when 'releaseBuffers()' called
'FilteringGeneratorDelegate' does not handle 'writeString(Reader, int)'
Optionally allow leading decimal in float tokens
Rewrite to use ant for building in order to be able to use it in packages that have to be built before maven
Parsing JSON with 'ALLOW_MISSING_VALUE' enabled results in endless stream of 'VALUE_NULL' tokens
Handle case when system property access is restricted
'FilteringGeneratorDelegate' does not handle 'writeString(Reader, int)'
DataFormatMatcher#getMatchedFormatName throws NPE when no match exists
'JsonParser.getCurrentLocation()' byte/char offset update incorrectly for big payloads

jackson-databind - update from version 2.10.5.1 to version 2.13.0:

'@JsonValue' with integer for enum does not deserialize correctly
'AnnotatedMethod.getValue()/setValue()' doesn't have useful exception message
Add 'DatabindException' as intermediate subtype of 'JsonMappingException'
Jackson does not support deserializing new Java 9 unmodifiable collections
Allocate TokenBuffer instance via context objects (to allow format-specific buffer types)
Add mechanism for setting default 'ContextAttributes' for 'ObjectMapper'
Add 'DeserializationContext.readTreeAsValue()' methods for more convenient conversions for deserializers to use
Clean up support of typed 'unmodifiable', 'singleton' Maps/Sets/Collections
Extend internal bitfield of 'MapperFeature' to be 'long'
Add 'removeMixIn()' method in 'MapperBuilder'
Backport 'MapperBuilder' lambda-taking methods: 'withConfigOverride()', 'withCoercionConfig()', 'withCoercionConfigDefaults()'
configOverrides(boolean.class) silently ignored, whereas .configOverride(Boolean.class) works for both primitives and boxed boolean values
Dont track unknown props in buffer if 'ignoreAllUnknown' is true
Should allow deserialization of java.time types via opaque 'JsonToken.VALUE_EMBEDDED_OBJECT'
Optimize 'AnnotatedConstructor.call()' case by passing explicit null
Add AnnotationIntrospector.XmlExtensions interface for decoupling javax dependencies
Custom SimpleModule not included in list returned by ObjectMapper.getRegisteredModuleIds() after registration
Use more limiting default visibility settings for JDK types (java., javax.)
Deep merge for 'JsonNode' using 'ObjectReader.readTree()'
IllegalArgumentException: Conflicting setter definitions for property with more than 2 setters
Serializing java.lang.Thread fails on JDK 11 and above
String-based 'Map' key deserializer is not deterministic when there is no single arg constructor
Add ArrayNode#set(int index, primitive_type value)
JsonStreamContext 'currentValue' wrongly references to '@JsonTypeInfo' annotated object
DOM 'Node' serialization omits the default namespace declaration
Support 'suppressed' property when deserializing 'Throwable'
'AnnotatedMember.equals()' does not work reliably
Add 'MapperFeature.APPLY_DEFAULT_VALUES', initially for Scala module
For an absent property Jackson injects 'NullNode' instead of 'null' to a JsonNode-typed constructor argument of a '@ConstructorProperties'-annotated constructor
'XMLGregorianCalendar' doesn't work with default typing
Content 'null' handling not working for root values
StdDeserializer rejects blank (all-whitespace) strings for ints
'USE_BASE_TYPE_AS_DEFAULT_IMPL' not working with 'DefaultTypeResolverBuilder'
Add PropertyNamingStrategies.UpperSnakeCaseStrategy (and UPPER_SNAKE_CASE constant)
StackOverflowError when serializing JsonProcessingException
Support for BCP 47 'java.util.Locale' serialization/deserialization
String property deserializes null as 'null' for JsonTypeInfo.As.EXISTING_PROPERTY
Can not deserialize json to enum value with Object-/Array-valued input, '@JsonCreator'
Fix to avoid problem with 'BigDecimalNode', scale of 'Integer.MIN_VALUE'
Extend handling of 'FAIL_ON_NULL_FOR_PRIMITIVES' to cover coercion from (Empty) String via 'AsNull'
Add 'mvnw' wrapper
(regression) Factory method generic type resolution does not use Class-bound type parameter
Deserialization of 'empty' subtype with DEDUCTION failed
Merge findInjectableValues() results in AnnotationIntrospectorPair
READ_UNKNOWN_ENUM_VALUES_USING_DEFAULT_VALUE doesn't work with empty strings
'TypeFactory' cannot convert 'Collection' sub-type without type parameters to canonical form and back + Fix for [modules-java8#207]: prevent fail on secondary Java 8 date/time types
EXTERNAL_PROPERTY does not work well with '@JsonCreator' and 'FAIL_ON_UNKNOWN_PROPERTIES'
String property deserializes null as 'null' for 'JsonTypeInfo.As.EXTERNAL_PROPERTY'
Property ignorals cause 'BeanDeserializer 'to forget how to read from arrays (not copying '_arrayDelegateDeserializer')
UntypedObjectDeserializer' mixes multiple unwrapped collections (related to #2733)
Two cases of incorrect error reporting about DeserializationFeature
Bug in polymorphic deserialization with '@JsonCreator', '@JsonAnySetter', 'JsonTypeInfo.As.EXTERNAL_PROPERTY'
Polymorphic subtype deduction ignores 'defaultImpl' attribute
MismatchedInputException: Cannot deserialize instance of 'com.fasterxml.jackson.databind.node.ObjectNode' out of VALUE_NULL token
Missing override for 'hasAsKey()' in 'AnnotationIntrospectorPair'
Creator lookup fails with 'InvalidDefinitionException' for conflict between single-double/single-Double arg constructor
'MapDeserializer' forcing 'JsonMappingException' wrapping even if WRAP_EXCEPTIONS set to false
Auto-detection of constructor-based creator method skipped if there is an annotated factory-based creator method (regression from 2.11)
'ObjectMapper.treeToValue()' no longer invokes 'JsonDeserializer.getNullValue()'
DeserializationProblemHandler is not invoked when trying to deserialize String
Fix failing 'double' JsonCreators in jackson 2.12.0
Conflicting in POJOPropertiesCollector when having namingStrategy
Breaking API change in 'BasicClassIntrospector' (2.12.0)
'JsonNode.requiredAt()' does NOT fail on some path expressions
Exception thrown when 'Collections.synchronizedList()' is serialized with type info, deserialized
Add option to resolve type from multiple existing properties, '@JsonTypeInfo(use=DEDUCTION)'
'@JsonIgnoreProperties' does not prevent Exception Conflicting getter/setter definitions for property
Deserialization Not Working Right with Generic Types and Builders
Add '@JsonIncludeProperties(propertyNames)' (reverse of '@JsonIgnoreProperties')
'@JsonAnyGetter' should be allowed on a field
Allow handling of single-arg constructor as property based by default
Allow case insensitive deserialization of String value into 'boolean'/'Boolean' (esp for Excel)
Allow use of '@JsonFormat(with=JsonFormat.Feature .ACCEPT_CASE_INSENSITIVE_PROPERTIES)' on Class
Abstract class included as part of known type ids for error message when using JsonSubTypes
Distinguish null from empty string for UUID deserialization
'ReferenceType' does not expose valid containedType
Add 'CoercionConfig[s]' mechanism for configuring allowed coercions
'JsonProperty.Access.READ_ONLY' does not work with 'getter-as-setter' 'Collection's
Support 'BigInteger' and 'BigDecimal' creators in 'StdValueInstantiator'
'JsonProperty.Access.READ_ONLY' fails with collections when a property name is specified
'BigDecimal' precision not retained for polymorphic deserialization
Support use of 'Void' valued properties ('MapperFeature.ALLOW_VOID_VALUED_PROPERTIES')
Explicitly fail (de)serialization of 'java.time.*' types in absence of registered custom (de)serializers
Improve description included in by 'DeserializationContext.handleUnexpectedToken()'
Support for JDK 14 record types ('java.lang.Record')
'PropertyNamingStrategy' class initialization depends on its subclass, this can lead to class loading deadlock
'FAIL_ON_IGNORED_PROPERTIES' does not throw on 'READONLY' properties with an explicit name
Add Gradle Module Metadata for version alignment with Gradle 6
Allow 'JsonNode' auto-convert into 'ArrayNode' if duplicates found (for XML)
Allow values of 'untyped' auto-convert into 'List' if duplicates found (for XML)
Add 'ValueInstantiator.createContextual(...)
Support multiple names in 'JsonSubType.Type'
Disabling 'FAIL_ON_INVALID_SUBTYPE' breaks polymorphic deserialization of Enums
Explicitly fail (de)serialization of 'org.joda.time.*' types in absence of registered custom (de)serializers
Trailing zeros are stripped when deserializing BigDecimal values inside a @JsonUnwrapped property
Extract getter/setter/field name mangling from 'BeanUtil' into pluggable 'AccessorNamingStrategy'
Throw 'InvalidFormatException' instead of 'MismatchedInputException' for ACCEPT_FLOAT_AS_INT coercion failures
Add '@JsonKey' annotation (similar to '@JsonValue') for customizable serialization of Map keys
'MapperFeature.ACCEPT_CASE_INSENSITIVE_ENUMS' should work for enum as keys
Add support for disabling special handling of 'Creator properties' wrt alphabetic property ordering
Add 'JsonNode.canConvertToExactIntegral()' to indicate whether floating-point/BigDecimal values could be converted to integers losslessly
Improve static factory method generic type resolution logic
Allow preventing 'Enum from integer' coercion using new 'CoercionConfig' system
'@JsonValue' not considered when evaluating inclusion
Make some java platform modules optional
Add support for serializing 'java.sql.Blob'
'AnnotatedCreatorCollector' should avoid processing synthetic static (factory) methods
Add errorprone static analysis profile to detect bugs at build time
Problem with implicit creator name detection for constructor detection
Add 'BeanDeserializerBase.isCaseInsensitive()'
Refactoring of 'CollectionDeserializer' to solve CSV array handling issues
Full 'LICENSE' included in jar for easier access by compliancy tools
Fix type resolution for static methods (regression in 2.11.3)
'@JsonCreator' on constructor not compatible with '@JsonIdentityInfo', 'PropertyGenerator'
Add debug improvements about 'ClassUtil.getClassMethods()'
Cannot detect creator arguments of mixins for JDK types
Add 'JsonFormat.Shape' awareness for UUID serialization ('UUIDSerializer')
Json serialization fails or a specific case that contains generics and static methods with generic parameters (2.11.1 -> 2.11.2 regression)
'ObjectMapper.activateDefaultTypingAsProperty()' is not using parameter 'PolymorphicTypeValidator'
Problem deserialization 'raw generic' fields (like 'Map') in 2.11.2
Fix issues with 'MapLikeType.isTrueMapType()', 'CollectionLikeType.isTrueCollectionType()'
Parser/Generator features not set when using 'ObjectMapper.createParser()', 'createGenerator()'
Polymorphic subtypes not registering on copied ObjectMapper (2.11.1)
Failure to read AnnotatedField value in Jackson 2.11
'TypeFactory.constructType()' does not take 'TypeBindings' correctly
Builder Deserialization with JsonCreator Value vs Array
JsonCreator on static method in Enum and Enum used as key in map fails randomly
'StdSubtypeResolver' is not thread safe (possibly due to copy not being made with 'ObjectMapper.copy()')
'Conflicting setter definitions for property' exception for 'Map' subtype during deserialization
Fail to deserialize local Records
Rearranging of props when property-based generator is in use leads to incorrect output
Jackson doesn't respect 'CAN_OVERRIDE_ACCESS_MODIFIERS=false' for deserializer properties
'DeserializationFeature.UNWRAP_SINGLE_VALUE_ARRAYS' don't support 'Map' type field
JsonParser from MismatchedInputException cannot getText() for floating-point value
i-I case conversion problem in Turkish locale with case-insensitive deserialization
'@JsonInject' fails on trying to find deserializer even if inject-only
Polymorphic deserialization should handle case-insensitive Type Id property name if 'MapperFeature.ACCEPT_CASE_INSENSITIVE_PROPERTIES' is enabled
TreeTraversingParser and UTF8StreamJsonParser create contexts differently
Support use of '@JsonAlias' for enum values
'declaringClass' of 'enum-as-POJO' not removed for 'ObjectMapper' with a naming strategy
Fix 'JavaType.isEnumType()' to support sub-classes
BeanDeserializerBuilder Protected Factory Method for Extension
Support '@JsonSerialize(keyUsing)' and '@JsonDeserialize(keyUsing)' on Key class
Add 'SerializationFeature.WRITE_SELF_REFERENCES_AS_NULL'
'ObjectMapper.registerSubtypes(NamedType...)' doesn't allow registering same POJO for two different type ids
'DeserializationContext.handleMissingInstantiator()' throws 'MismatchedInputException' for non-static inner classes
Incorrect 'JsonStreamContext' for 'TokenBuffer' and 'TreeTraversingParser'
Add 'AnnotationIntrospector.findRenameByField()' to support Kotlin's 'is-getter' naming convention
Use '@JsonProperty(index)' for sorting properties on serialization
Java 8 'Optional' not working with '@JsonUnwrapped' on unwrappable type
Add 'MapperFeature.BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES' to allow blocking use of unsafe base type for polymorphic deserialization
'ObjectMapper.setSerializationInclusion()' is ignored for 'JsonAnyGetter'
'ValueInstantiationException' when deserializing using a builder and 'UNWRAP_SINGLE_VALUE_ARRAYS'
JsonIgnoreProperties(ignoreUnknown = true) does not work on field and method level
Failure to resolve generic type parameters on serialization
JsonParser cannot getText() for input stream on MismatchedInputException
ObjectReader readValue lacks Class<T> argument
Change default textual serialization of 'java.util.Date'/'Calendar' to include colon in timezone offset
Add 'ObjectMapper.createParser()' and 'createGenerator()' methods
Allow serialization of 'Properties' with non-String values
Add new factory method for creating custom 'EnumValues' to pass to 'EnumDeserializer
'IllegalArgumentException' thrown for mismatched subclass deserialization
Add convenience methods for creating 'List', 'Map' valued 'ObjectReader's (ObjectMapper.readerForListOf())
'SerializerProvider.findContentValueSerializer()' methods

jackson-dataformats-binary - update from version 2.10.1 to version 2.13.0:

(cbor) Should validate UTF-8 multi-byte validity for short decode path too
(ion) Deprecate 'CloseSafeUTF8Writer', remove use
(smile) Make 'SmileFactory' support 'JsonFactory.Feature.CANONICALIZE_FIELD_NAMES'
(cbor) Make 'CBORFactory' support 'JsonFactory.Feature.CANONICALIZE_FIELD_NAMES'
(cbor) Handle case of BigDecimal with Integer.MIN_VALUE for scale gracefully
(cbor) Uncaught exception in CBORParser._nextChunkedByte2 (by ossfuzzer)
(cbor) Another uncaught exception in CBORParser._nextChunkedByte2 (by ossfuzzer)
(smile) Add 'SmileGenerator.Feature.LENIENT_UTF_ENCODING' for lenient handling of broken Unicode surrogate pairs on writing
(avro) Add 'logicalType' support for some 'java.time' types; add 'AvroJavaTimeModule' for native ser/deser
Support base64 strings in 'getBinaryValue()' for CBOR and Smile
(cbor) 'ArrayIndexOutOfBounds' for truncated UTF-8 name
(avro) Generate logicalType switch
(smile) 'ArrayIndexOutOfBounds' for truncated UTF-8 name
(ion) 'jackson-dataformat-ion' does not handle null.struct deserialization correctly
'Ion-java' dep 1.4.0 -> 1.8.0
Minor change to Ion module registration names (fully-qualified)
(cbor) Uncaught exception in CBORParser._nextChunkedByte2 (by ossfuzzer)
(cbor) Uncaught exception in CBORParser._findDecodedFromSymbols() (by ossfuzzer)
(smile) Uncaught validation problem wrt Smile 'BigDecimal' type
(smile) ArrayIndexOutOfBoundsException for malformed Smile header
(cbor) Failed to handle case of alleged String with length of Integer.MAX_VALUE
(smile) Allocate byte[] lazily for longer Smile binary data payloads
(cbor) CBORParser need to validate zero-length byte[] for BigInteger
(smile) Handle invalid chunked-binary-format length gracefully
(smile) Allocate byte[] lazily for longer Smile binary data payloads (7-bit encoded)
(smile) ArrayIndexOutOfBoundsException in SmileParser._decodeShortUnicodeValue()
(smile) Handle sequence of Smile header markers without recursion
(cbor) CBOR loses 'Map' entries with specific 'long' Map key values (32-bit boundary)
(ion) Ion Polymorphic deserialization in 2.12 breaks wrt use of Native Type Ids when upgrading from 2.8
(cbor) 'ArrayIndexOutOfBoundsException' in 'CBORParser' for invalid UTF-8 String
(cbor) Handle invalid CBOR content like '[0x84]' (incomplete array)
(ion) Respect 'WRITE_ENUMS_USING_TO_STRING' in 'EnumAsIonSymbolSerializer'
(ion) Add support for generating IonSexps
(ion) Add support for deserializing IonTimestamps and IonBlobs
(ion) Add 'IonObjectMapper.builderForBinaryWriters()' / '.builderforTextualWriters()' convenience methods
(ion) Enabling pretty-printing fails Ion serialization
(ion) Allow disabling native type ids in IonMapper
(smile) Small bug in byte-alignment for long field names in Smile, symbol table reuse
(ion) Add 'IonFactory.getIonSystem()' accessor
(ion) Optimize 'IonParser.getNumberType()' using 'IonReader.getIntegerSize()'
(cbor) Add 'CBORGenerator.Feature.LENIENT_UTF_ENCODING' for lenient handling of Unicode surrogate pairs on writing
(cbor) Add support for decoding unassigned 'simple values' (type 7)
Add Gradle Module Metadata (https://blog.gradle.org/alignment-with-gradle-module-metadata)
(avro) Cache record names to avoid hitting class loader
(avro) Avro null deserialization
(ion) Add 'IonFactory.getIonSystem()' accessor
(avro) Add 'AvroGenerator.canWriteBinaryNatively()' to support binary writes, fix 'java.util.UUID' representation
(ion) Allow 'IonObjectMapper' with class name annotation introspector to deserialize generic subtypes
Remove dependencies upon Jackson 1.X and Avro's JacksonUtils
'jackson-databind' should not be full dependency for (cbor, protobuf, smile) modules
'CBORGenerator.Feature.WRITE_MINIMAL_INTS' does not write most compact form for all integers
'AvroGenerator' overrides 'getOutputContext()' properly
(ion) Add 'IonFactory.getIonSystem()' accessor
(avro) Fix schema evolution involving maps of non-scalar
(protobuf) Parsing a protobuf message doesn't properly skip unknown fields
(ion) IonObjectMapper close()s the provided IonWriter unnecessarily
ion-java dependency 1.4.0 -> 1.5.1

SUSE-SU-2022:1678-1

Details

Affected Packages

References

Upstream

Related

Ecosystems

Timeline