File _patchinfo of Package patchinfo.17954

<patchinfo incident="17954">
  <issue tracker="cve" id="2021-20190"/>
  <issue tracker="cve" id="2020-35728"/>
  <issue tracker="cve" id="2020-25649"/>
  <issue tracker="bnc" id="1181118">VUL-0: CVE-2021-20190: jackson-databind: SSRF due to mishandling interaction between serialization gadgets and typing</issue>
  <issue tracker="bnc" id="1180391">VUL-0: CVE-2020-35728: jackson-databind: mishandles the interaction between serialization gadgets and typing</issue>
  <issue tracker="bnc" id="1177616">VUL-0: CVE-2020-25649: jackson-databind: FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML external entity (XXE)</issue>
  <packager>fstrba</packager>
  <rating>moderate</rating>
  <category>security</category>
  <summary>Security update for jackson-databind</summary>
  <description>This update for jackson-databind fixes the following issues:

jackson-databind was updated to 2.10.5.1:
  * #2589: `DOMDeserializer`: setExpandEntityReferences(false) may
    not prevent external entity expansion in all cases
    (CVE-2020-25649, bsc#1177616)
  * #2787 (partial fix): NPE after add mixin for enum
  * #2679: 'ObjectMapper.readValue("123", Void.TYPE)' throws
    "should never occur"
</description>
</patchinfo>