This update for jackson-databind, jackson-dataformats-binary, jackson-annotations, jackson-bom, jackson-core fixes the following issues:
Security issues fixed:
- CVE-2020-36518: Fixed a Java stack overflow exception and denial of service via a large depth of nested objects in jackson-databind. (bsc#1197132)
- CVE-2020-25649: Fixed an insecure entity expansion in jackson-databind which was vulnerable to XML external entity (XXE). (bsc#1177616)
- CVE-2020-28491: Fixed a bug which could cause
java.lang.OutOfMemoryError exception in jackson-dataformats-binary. (bsc#1182481)
Non security fixes:
jackson-annotations - update from version 2.10.2 to version 2.13.0:
- Build with source/target levels 8
- Add 'mvnw' wrapper
- 'JsonSubType.Type' should accept array of names
- Jackson version alignment with Gradle 6
- Add '@JsonIncludeProperties'
- Add '@JsonTypeInfo(use=DEDUCTION)'
- Ability to use '@JsonAnyGetter' on fields
- Add '@JsonKey' annotation
- Allow repeated calls to 'SimpleObjectIdResolver.bindItem()' for same mapping
- Add 'namespace' property for '@JsonProperty' (for XML module)
- Add target 'ElementType.ANNOTATION_TYPE' for '@JsonEnumDefaultValue'
- 'JsonPattern.Value.pattern' retained as '', never (accidentally) exposed as 'null'
- Rewrite to use
ant for building in order to be able to use it in packages that have to be built before maven
jackson-bom - update from version 2.10.2 to version 2.13.0:
- Configure moditect plugin with '<jvmVersion>11</jvmVersion>'
- jackson-bom manages the version of 'junit:junit'
- Drop 'jackson-datatype-hibernate3' (support for Hibernate 3.x datatypes)
- Removed 'jakarta' classifier variants of JAXB/JSON-P/JAX-RS modules due to the addition of new Jakarta artifacts
(Jakarta-JSONP, Jakarta-xmlbind-annotations, Jakarta-rs-providers)
- Add version for 'jackson-datatype-jakarta-jsonp' module (introduced after 2.12.2)
- Add (beta) version for...