Hi,

The following vulnerability was published for jackson-dataformat-cbor.

CVE-2020-28491[0]:
| This affects the package com.fasterxml.jackson.dataformat:jackson-
| dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before
| 2.12.1. Unchecked allocation of byte buffer can cause a
| java.lang.OutOfMemoryError exception.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-28491
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28491
[1] https://github.com/FasterXML/jackson-dataformats-binary/issues/186
[2] https://github.com/FasterXML/jackson-dataformats-binary/commit/de072d314af8f5f269c8abec6930652af67bc8e6
[2] https://snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONDATAFORMAT-1047329

Regards,
Salvatore

I am uploading a NMU to fix this.
Please find the debdiff attached.

We believe that the bug you reported is fixed in the latest version of
jackson-dataformat-cbor, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 983664@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bastian Germann <bage@debian.org> (supplier of updated jackson-dataformat-cbor package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Fri, 04 Apr 2025 08:32:50 +0200
Source: jackson-dataformat-cbor
Architecture: source
Version: 2.7.8-5.1
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Bastian Germann <bage@debian.org>
Closes: 983664
Changes:
 jackson-dataformat-cbor (2.7.8-5.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * Backport fix for CVE-2020-28491. (Closes: #983664)
Checksums-Sha1:
 b9727a3b585b8f7fbc8be7f0d3791a9eaa1921a2 2251 jackson-dataformat-cbor_2.7.8-5.1.dsc
 d411e95d288b19c564b4e8e062b95435a433d335 6388 jackson-dataformat-cbor_2.7.8-5.1.debian.tar.xz
 b211a78ae646a79b595885e46cb8370ab07e2a71 14927 jackson-dataformat-cbor_2.7.8-5.1_source.buildinfo
Checksums-Sha256:
 28ee6923038acfcfd7b6b2e12efd66982a8fcb86ba0c4493c0e513c2f837a07b 2251 jackson-dataformat-cbor_2.7.8-5.1.dsc
 5c6cb56e43ae32f1661d0985a0d3c0ec9f014c2a8c2b475d20ba0ae626e02fc0 6388 jackson-dataformat-cbor_2.7.8-5.1.debian.tar.xz
 9b5d4d208d8d933cfc229ff56ca593d2fab09875d4fc078c7a2fb405a5c298e7 14927 jackson-dataformat-cbor_2.7.8-5.1_source.buildinfo
Files:
 d505c9402513fb08572a8d576a42750c 2251 java optional jackson-dataformat-cbor_2.7.8-5.1.dsc
 5e98e48e99f0f2ec0be5cb4f509f6b39 6388 java optional jackson-dataformat-cbor_2.7.8-5.1.debian.tar.xz
 69e625e45ac2e2950212f0913942e5b2 14927 java optional jackson-dataformat-cbor_2.7.8-5.1_source.buildinfo
-----BEGIN PGP SIGNATURE-----

iQHEBAEBCgAuFiEEQGIgyLhVKAI3jM5BH1x6i0VWQxQFAmfvmtcQHGJhZ2VAZGVi
aWFuLm9yZwAKCRAfXHqLRVZDFDrgC/9XbeJQpXWqQVELvvi44MPcjphEulu4sGPf
84rtYVFGoLBmHVt2YO85p6BtbsoU6CNGZIDQnw6hXUUYgMxwM61ibTdUt2EgMQZ5
iFDbEgX8505MuBE/dPF+PQhaLouYIyx0dbLZwgNXHzOxoZX8a+Sj9Fr6LoIQQY77
SIUsJBxJ85qifwNUUwGyJeo3ADPHhKrHi2nMEHdLrTY3RIMMqshfDkCc5dsKZMWJ
olSCl9oSfSrJLEF/ZVFo28+vcvZTTKI/5rgZqNxLJc7COhCmC4MQXmToz82aLqbk
SgVg7SnW5FH/WGOr7skoJuKdTJlDU/sTFd+aCD/CPAkB+rtdmeSCy/WH6h0aK4tb
rMUXtTqngTZ+cowyzCp1kwJ1RqiFeLJ/Ldg4+46K5bxI03JdN7zf1duf3Nztvrv/
nIhXehL4bRuUqoqIhl3u+X1NdHL6RiHoE274NDPRX2bgoQK1440bd0/0ixabm7AC
zpBvAN+MnhxZr+pfDccl+NSqXt/PiOE=
=T+hS
-----END PGP SIGNATURE-----