Mageia alert MGASA-2024-0069 (jackson-databind)
| From: | Mageia Updates <buildsystem-daemon@mageia.org> | |
| To: | updates-announce@ml.mageia.org | |
| Subject: | [updates-announce] MGASA-2024-0069: Updated jackson-databind packages fix security vulnerabilities | |
| Date: | Sat, 16 Mar 2024 17:29:14 +0100 | |
| Message-ID: | <20240316162914.2F9E89FD70@duvel.mageia.org> | |
| Archive-link: | Article |
MGASA-2024-0069 - Updated jackson-databind packages fix security vulnerabilities Publication date: 16 Mar 2024 URL: https://advisories.mageia.org/MGASA-2024-0069.html Type: security Affected Mageia releases: 9 CVE: CVE-2020-36518, CVE-2022-42003, CVE-2022-42004 Description: jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects. (CVE-2020-36518) In FasterXML jackson-databind before versions 2.13.4.1 and 2.12.17.1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. (CVE-2022-42003) In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization. (CVE-2022-42004) References: - https://bugs.mageia.org/show_bug.cgi?id=30368 - https://www.debian.org/lts/security/2022/dla-2990 - https://lists.suse.com/pipermail/sle-security-updates/202... - https://lists.opensuse.org/archives/list/security-announc... - https://lists.suse.com/pipermail/sle-security-updates/202... - https://lists.opensuse.org/archives/list/security-announc... - https://www.debian.org/security/2022/dsa-5283 - https://www.debian.org/lts/security/2022/dla-3207 - https://access.redhat.com/errata/RHSA-2023:2312 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4... - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-4... SRPMS: - 9/core/jackson-databind-2.11.4-2.1.mga9