Bugzilla – Bug 1214111
VUL-0: CVE-2023-3894: jackson-dataformats-text: DoS during toml deserialization
Last modified: 2024-03-25 08:13:19 UTC
CVE-2023-3894 Those using jackson-dataformats-text to parse TOML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-3894 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50083 https://www.cve.org/CVERecord?id=CVE-2023-3894 https://github.com/FasterXML/jackson-dataformats-text/blob/2.16/release-notes/VERSION-2.x https://github.com/FasterXML/jackson-dataformats-text/pull/398
Gus, please, look at this and upgrade also the related packages so that we are on the same minor version 2.16.x.
Submitted 2.16.1 updates of the following jackson packages to Java:packages: jackson-annotations jackson-bom jackson-core jackson-databind jackson-dataformats-text jackson-dataformats-binary jackson-dataformat-xml jackson-datatypes-collections jackson-jaxrs-providers jackson-modules-base jackson-modules-java8 jackson-parent
This is an autogenerated message for OBS integration: This bug (1214111) was mentioned in https://build.opensuse.org/request/show/1156784 Factory / jackson-dataformats-text
Updated versions of affected packages are available to install on Tumbleweed.