Описание
Security update for jackson-databind
This update for jackson-databind fixes the following issues:
jackson-databind was updated to 2.10.5.1:
- #2589:
DOMDeserializer: setExpandEntityReferences(false) may not prevent external entity expansion in all cases (CVE-2020-25649, bsc#1177616) - #2787 (partial fix): NPE after add mixin for enum
- #2679: 'ObjectMapper.readValue('123', Void.TYPE)' throws 'should never occur'
Список пакетов
Container suse/manager/5.0/x86_64/server-attestation:latest
Container suse/manager/5.0/x86_64/server:latest
Image SLES15-SP3-Manager-4-2-Server-BYOS-Azure
Image SLES15-SP3-Manager-4-2-Server-BYOS-EC2-HVM
Image SLES15-SP3-Manager-4-2-Server-BYOS-GCE
Image SLES15-SP4-Manager-Server-4-3
Image SLES15-SP4-Manager-Server-4-3-Azure-llc
Image SLES15-SP4-Manager-Server-4-3-Azure-ltd
Image SLES15-SP4-Manager-Server-4-3-BYOS
Image SLES15-SP4-Manager-Server-4-3-BYOS-Azure
Image SLES15-SP4-Manager-Server-4-3-BYOS-EC2
Image SLES15-SP4-Manager-Server-4-3-BYOS-GCE
Image SLES15-SP4-Manager-Server-4-3-EC2-llc
Image SLES15-SP4-Manager-Server-4-3-EC2-ltd
Image server-attestation-image
Image server-image
SUSE Linux Enterprise Module for Development Tools 15 SP2
Ссылки
- Link for SUSE-SU-2021:0243-1
- E-Mail link for SUSE-SU-2021:0243-1
- SUSE Security Ratings
- SUSE Bug 1177616
- SUSE Bug 1180391
- SUSE Bug 1181118
- SUSE CVE CVE-2020-25649 page
- SUSE CVE CVE-2020-35728 page
- SUSE CVE CVE-2021-20190 page
Описание
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
Затронутые продукты
Ссылки
- CVE-2020-25649
- SUSE Bug 1177616
Описание
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).
Затронутые продукты
Ссылки
- CVE-2020-35728
- SUSE Bug 1180391
Описание
A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Затронутые продукты
Ссылки
- CVE-2021-20190
- SUSE Bug 1181118