Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package patchinfo.15700 for
openSUSE:Leap:15.2:Update checked in at 2021-02-01 14:11:40
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Leap:15.2:Update/patchinfo.15700 (Old)
and /work/SRC/openSUSE:Leap:15.2:Update/.patchinfo.15700.new.28504 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "patchinfo.15700"
Mon Feb 1 14:11:40 2021 rev:1 rq:867695 version:unknown
Changes:
--------
New Changes file:
NO CHANGES FILE!!!
New:
----
_patchinfo
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ _patchinfo ++++++
<patchinfo incident="15700">
<issue tracker="cve" id="2021-20190"/>
<issue tracker="cve" id="2020-35728"/>
<issue tracker="cve" id="2020-25649"/>
<issue tracker="bnc" id="1181118">VUL-0: CVE-2021-20190: jackson-databind:
SSRF due to mishandling interaction between serialization gadgets and
typing</issue>
<issue tracker="bnc" id="1180391">VUL-0: CVE-2020-35728: jackson-databind:
mishandles the interaction between serialization gadgets and typing</issue>
<issue tracker="bnc" id="1177616">VUL-0: CVE-2020-25649: jackson-databind:
FasterXML DOMDeserializer insecure entity expansion is vulnerable to XML
external entity (XXE)</issue>
<packager>fstrba</packager>
<rating>moderate</rating>
<category>security</category>
<summary>Security update for jackson-databind</summary>
<description>This update for jackson-databind fixes the following issues:
jackson-databind was updated to 2.10.5.1:
* #2589: `DOMDeserializer`: setExpandEntityReferences(false) may
not prevent external entity expansion in all cases
(CVE-2020-25649, bsc#1177616)
* #2787 (partial fix): NPE after add mixin for enum
* #2679: 'ObjectMapper.readValue("123", Void.TYPE)' throws
"should never occur"
This update was imported from the SUSE:SLE-15-SP2:Update update
project.</description>
</patchinfo>
