jackson-dataformat-csv-2.15.2-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13151 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z jackson-dataformat-csv-2.15.2-1.1 on GA media These are all security issues fixed in the jackson-dataformat-csv-2.15.2-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13151 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:13151 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2022-1471/ SUSE CVE CVE-2022-1471 page https://www.suse.com/security/cve/CVE-2023-3894/ SUSE CVE CVE-2023-3894 page openSUSE Tumbleweed jackson-dataformat-csv-2.15.2-1.1 jackson-dataformat-properties-2.15.2-1.1 jackson-dataformat-toml-2.15.2-1.1 jackson-dataformat-yaml-2.15.2-1.1 jackson-dataformats-text-2.15.2-1.1 jackson-dataformats-text-javadoc-2.15.2-1.1 jackson-dataformat-csv-2.15.2-1.1 as a component of openSUSE Tumbleweed jackson-dataformat-properties-2.15.2-1.1 as a component of openSUSE Tumbleweed jackson-dataformat-toml-2.15.2-1.1 as a component of openSUSE Tumbleweed jackson-dataformat-yaml-2.15.2-1.1 as a component of openSUSE Tumbleweed jackson-dataformats-text-2.15.2-1.1 as a component of openSUSE Tumbleweed jackson-dataformats-text-javadoc-2.15.2-1.1 as a component of openSUSE Tumbleweed SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond. CVE-2022-1471 openSUSE Tumbleweed:jackson-dataformat-csv-2.15.2-1.1 openSUSE Tumbleweed:jackson-dataformat-properties-2.15.2-1.1 openSUSE Tumbleweed:jackson-dataformat-toml-2.15.2-1.1 openSUSE Tumbleweed:jackson-dataformat-yaml-2.15.2-1.1 openSUSE Tumbleweed:jackson-dataformats-text-2.15.2-1.1 openSUSE Tumbleweed:jackson-dataformats-text-javadoc-2.15.2-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2022-1471.html CVE-2022-1471 https://bugzilla.suse.com/1205944 SUSE Bug 1205944 Those using jackson-dataformats-text to parse TOML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack. CVE-2023-3894 openSUSE Tumbleweed:jackson-dataformat-csv-2.15.2-1.1 openSUSE Tumbleweed:jackson-dataformat-properties-2.15.2-1.1 openSUSE Tumbleweed:jackson-dataformat-toml-2.15.2-1.1 openSUSE Tumbleweed:jackson-dataformat-yaml-2.15.2-1.1 openSUSE Tumbleweed:jackson-dataformats-text-2.15.2-1.1 openSUSE Tumbleweed:jackson-dataformats-text-javadoc-2.15.2-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-3894.html CVE-2023-3894 https://bugzilla.suse.com/1214111 SUSE Bug 1214111