Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package jackson-databind for
openSUSE:Factory checked in at 2026-06-25 17:22:08
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/jackson-databind (Old)
and /work/SRC/openSUSE:Factory/.jackson-databind.new.2088 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "jackson-databind"
Thu Jun 25 17:22:08 2026 rev:19 rq:1361757 version:2.18.8
Changes:
--------
--- /work/SRC/openSUSE:Factory/jackson-databind/jackson-databind.changes
2025-06-24 20:48:14.730057145 +0200
+++
/work/SRC/openSUSE:Factory/.jackson-databind.new.2088/jackson-databind.changes
2026-06-25 17:22:13.767905952 +0200
@@ -1,0 +2,145 @@
+Thu Jun 25 12:05:57 UTC 2026 - Fridrich Strba <[email protected]>
+
+- Update to 2.18.8
+ * Changes of 2.18.8
+ + #5950: Improve 'UUIDeserializer' error handling
+ + #5951: Improve 'InetSocketAddress' deserialization
+ (bsc#1268899, CVE-2026-54514)
+ + #5969: '@JsonView' by-passed for some "setterless" creator
+ properties
+ + #5971: '@JsonView' by-passed for unwrapped creator parameters
+ + #5974: '@JsonIgnore' on Record property ignored with
+ 'PropertyNamingStrategy'
+ + #5981: 'BasicPolymorphicTypeValidator' setting
+ 'allowIfSubTypeIsArray()' should validate element type
+ (bsc#1268898, CVE-2026-54513)
+ + #5988: 'PolymorphicTypeValidator' needs to validate generic
+ type parameters too
+ + #5993: 'UPPER_SNAKE_CASE' / 'LOWER_CASE' 'NamingStrategyImpls'
+ fold case using JVM default locale (Turkish-I bug)
+ * Changes of 2.18.4
+ + #4628: '@JsonIgnore' and '@JsonProperty.access=READ_ONLY' on
+ Record property ignored for deserialization
+ + #5049: Duplicate creator property "b" (index 0 vs 1) on simple
+ java record
+ * Changes of 2.18.3
+ + #4444: The 'KeyDeserializer' specified in the class with
+ '@JsonDeserialize(keyUsing = ...)' is overwritten by the
+ 'KeyDeserializer' specified in the 'ObjectMapper'.
+ + #4827: Subclassed Throwable deserialization fails since
+ v2.18.0 - no creator index for property 'cause'
+ + #4844: Fix wrapped array handling wrt 'null' by
+ 'StdDeserializer'
+ + #4848: Avoid type pollution in 'StringCollectionDeserializer'
+ + #4860: 'ConstructorDetector.USE_PROPERTIES_BASED' does not
+ work with multiple constructors since 2.18
+ + #4878: When serializing a Map via
+ Converter(StdDelegatingSerializer), a NullPointerException is
+ thrown due to missing key serializer
+ + #4908: Deserialization behavior change with @JsonCreator and
+ @ConstructorProperties between 2.17 and 2.18
+ + #4917: 'BigDecimal' deserialization issue when using
+ '@JsonCreator'
+ + #4920: Creator properties are ignored on abstract types when
+ collecting bean properties, breaking AsExternalTypeDeserializer
+ + #4922: Failing '@JsonMerge' with a custom Map
+ + #4932: Conversion of 'MissingNode' throws
+ 'JsonProcessingException'
+ * Changes of 2.18.2
+ + #4733: Wrong serialization of Type Ids for certain types of
+ Enum values
+ + #4742: Deserialization with Builder, External type id,
+ '@JsonCreator' failing
+ + #4777: 'StdValueInstantiator.withArgsCreator' is now set for
+ creators with no arguments
+ + #4783 Possibly wrong behavior of @JsonMerge
+ + #4787: Wrong 'String.format()' in 'StdDelegatingDeserializer'
+ hides actual error
+ + #4788: 'EnumFeature.WRITE_ENUMS_TO_LOWERCASE' overrides
+ '@JsonProperty' values
+ + #4790: Fix '@JsonAnySetter' issue with "setter" method
+ (related to #4639)
+ + #4807: Improve 'FactoryBasedEnumDeserializer' to work better
+ with XML module
+ + #4810: Deserialization using '@JsonCreator' with renamed
+ property failing (since 2.18)
+ * Changes of 2.18.1
+ + #4508: Deserialized JsonAnySetter field in Kotlin data class
+ is null
+ + #4639: @JsonAnySetter on field ignoring unrecognized
+ properties if they are declared before the last recognized
+ properties in JSON
+ + #4718: Should not fail on trying to serialize
+ 'java.time.DateTimeException'
+ + #4724: Deserialization behavior change with Records,
+ '@JsonCreator' and '@JsonValue' between 2.17 and 2.18
+ + #4727: Eclipse having issues due'module-info' class "lost" on
+ 2.18.0 jars
+ + #4741: When 'Include.NON_DEFAULT' setting is used on POJO,
+ empty values are not included in json if default is 'null'
+ + #4749: Fixed a problem with
+ 'StdDelegatingSerializer#serializeWithType' looking up the
+ serializer with the wrong argument
+ * Changes of 2.18.0
+ + #562: Allow '@JsonAnySetter' to flow through Creators
+ + #806: Problem with 'NamingStrategy', creator methods with
+ implicit names
+ + #2977: Incompatible 'FAIL_ON_MISSING_PRIMITIVE_PROPERTIES' and
+ field level '@JsonProperty'
+ + #3120: Return 'ListIterator' from 'ArrayNode.elements()'
+ + #3241: 'constructorDetector' seems to invalidate
+ 'defaultSetterInfo' for nullability
+ + #3439: Java Record '@JsonAnySetter' value is null after
+ deserialization
+ + #4085: '@JsonView' does not work on class-level for records
+ + #4119: Exception when deserialization uses a record with a
+ constructor property with 'access=READ_ONLY'
+ + #4356: 'BeanDeserializerModifier::updateBuilder()' doesn't
+ work for beans with Creator methods
+ + #4407: 'null' type id handling does not work with
+ 'writeTypePrefix()'
+ + #4452: '@JsonProperty' not serializing field names properly on
+ '@JsonCreator' in Record
+ + #4453: Allow JSON Integer to deserialize into a single-arg
+ constructor of parameter type 'double'
+ + #4456: Rework locking in 'DeserializerCache'
+ + #4458: Rework synchronized block from 'BeanDeserializerBase'
+ + #4464: When 'Include.NON_DEFAULT' setting is used, 'isEmpty()'
+ method is not called on the serializer
+ + #4472: Rework synchronized block in 'TypeDeserializerBase'
+ + #4483: Remove 'final' on method BeanSerializer.serialize()
+ + #4515: Rewrite Bean Property Introspection logic in Jackson
+ 2.x
+ + #4545: Unexpected deserialization behavior with
+ '@JsonCreator', '@JsonProperty' and javac '-parameters'
+ + #4570: Deprecate 'ObjectMapper.canDeserialize()'/'ObjectMapper
+ .canSerialize()'
+ + #4580: Add 'MapperFeature
+ .SORT_CREATOR_PROPERTIES_BY_DECLARATION_ORDER' to use Creator
+ properties' declaration order for sorting
+ + #4584: Provide extension point for detecting "primary"
+ Constructor for Kotlin (and similar) data classes
+ + #4602: Possible wrong use of _arrayDelegateDeserializer in
+ BeanDeserializerBase::deserializeFromObjectUsingNonDefault()
+ + #4617: Record property serialization order not preserved
+ + #4626: '@JsonIgnore' on Record property ignored for
+ deserialization, if there is getter override
+ + #4630: '@JsonIncludeProperties', '@JsonIgnoreProperties'
+ ignored when serializing Records, if there is getter override
+ + #4634: '@JsonAnySetter' not working when annotated on both
+ constructor parameter & field
+ + #4678: Java records don't serialize with 'MapperFeature
+ .REQUIRE_SETTERS_FOR_GETTERS'
+ + #4688: Should allow deserializing with no-arg
+ '@JsonCreator(mode = DELEGATING)'
+ + #4694: Deserializing 'BigDecimal' with large number of
+ decimals result in incorrect value
+ + #4699: Add extra 'writeNumber()' method in 'TokenBuffer'
+ + #4709: Add 'JacksonCollectors' with 'toArrayNode()'
+ implementation
+- Added patch:
+ * jackson-databind-CVE-2026-54515.patch
+ + Fix #5962: Case-insensitive deserialization may use wrong
+ @JsonIgnoreProperties (bsc#1268902, CVE-2026-54515)
+
+-------------------------------------------------------------------
Old:
----
jackson-databind-2.17.3.tar.gz
New:
----
_scmsync.obsinfo
build.specials.obscpio
jackson-databind-2.18.8.tar.gz
jackson-databind-CVE-2026-54515.patch
----------(New B)----------
New:- Added patch:
* jackson-databind-CVE-2026-54515.patch
+ Fix #5962: Case-insensitive deserialization may use wrong
----------(New E)----------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ jackson-databind.spec ++++++
--- /var/tmp/diff_new_pack.6mKubX/_old 2026-06-25 17:22:14.767940704 +0200
+++ /var/tmp/diff_new_pack.6mKubX/_new 2026-06-25 17:22:14.771940842 +0200
@@ -1,7 +1,7 @@
#
# spec file for package jackson-databind
#
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2026 SUSE LLC and contributors
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -20,17 +20,18 @@
# binaries are java 8 compatible
%define __requires_exclude java-headless
Name: jackson-databind
-Version: 2.17.3
+Version: 2.18.8
Release: 0
Summary: General data-binding package for Jackson (2.x)
License: Apache-2.0
URL: https://github.com/FasterXML/jackson-databind/
Source0:
https://github.com/FasterXML/jackson-databind/archive/%{name}-%{version}.tar.gz
Source1: %{name}-build.xml
+Patch0: %{name}-CVE-2026-54515.patch
BuildRequires: ant
BuildRequires: fdupes
BuildRequires: jackson-annotations
-BuildRequires: jackson-core
+BuildRequires: jackson-core >= 2.18
BuildRequires: java-devel >= 9
BuildRequires: javapackages-local >= 6
Requires: java-headless >= 1.8
@@ -50,6 +51,7 @@
%prep
%setup -q -n %{name}-%{name}-%{version}
cp %{SOURCE1} build.xml
+%patch -P 0 -p1
mkdir -p lib
cp -p src/main/resources/META-INF/NOTICE .
++++++ _scmsync.obsinfo ++++++
mtime: 1782390998
commit: b8f6dbcbe96fc2a9d63d03a8c421c742932755c2be66a3d5c6ad9dd1c02e7cbf
url: https://src.opensuse.org/java-packages/jackson-databind
revision: b8f6dbcbe96fc2a9d63d03a8c421c742932755c2be66a3d5c6ad9dd1c02e7cbf
projectscmsync: https://src.opensuse.org/java-packages/_ObsPrj
++++++ build.specials.obscpio ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/.gitignore new/.gitignore
--- old/.gitignore 1970-01-01 01:00:00.000000000 +0100
+++ new/.gitignore 2026-06-25 14:36:38.000000000 +0200
@@ -0,0 +1 @@
+.osc
++++++ jackson-databind-2.17.3.tar.gz -> jackson-databind-2.18.8.tar.gz ++++++
++++ 39974 lines of diff (skipped)
++++++ jackson-databind-CVE-2026-54515.patch ++++++
---
a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerBase.java
+++
b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerBase.java
@@ -894,7 +894,10 @@ public ValueDeserializer<?>
createContextual(DeserializationContext ctxt,
// 16-May-2016, tatu: How about per-property case-insensitivity?
Boolean B =
format.getFeature(JsonFormat.Feature.ACCEPT_CASE_INSENSITIVE_PROPERTIES);
if (B != null) {
- BeanPropertyMap propsOrig = _beanProperties;
+ // [databind#5962]: must rebuild from the (possibly filtered)
contextual
+ // BeanPropertyMap so that per-property @JsonIgnoreProperties
exclusions
+ // applied by _handleByNameInclusion() above are preserved.
+ BeanPropertyMap propsOrig = contextual._beanProperties;
BeanPropertyMap props =
propsOrig.withCaseInsensitivity(B.booleanValue());
if (props != propsOrig) {
contextual = contextual.withBeanProperties(props);
++++++ jackson-databind-build.xml ++++++
--- /var/tmp/diff_new_pack.6mKubX/_old 2026-06-25 17:22:16.383996861 +0200
+++ /var/tmp/diff_new_pack.6mKubX/_new 2026-06-25 17:22:16.399997417 +0200
@@ -11,7 +11,7 @@
<property name="project.groupId" value="com.fasterxml.jackson.core"/>
<property name="project.artifactId" value="jackson-databind"/>
<property name="project.name" value="jackson-databind"/>
- <property name="project.version" value="2.17.3"/>
+ <property name="project.version" value="2.18.8"/>
<property name="project.vendor" value="FasterXML"/>
<property name="project.description" value="General data-binding
functionality for Jackson: works on core streaming API"/>
<property name="bundle.version" value="${project.version}"/>
