From 6a8cc2a428154e9870ab9b8af584ee6ec3ea9cff Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 26 2020 15:25:53 +0000 Subject: import rh-maven35-jackson-databind-2.7.6-2.10.el7 --- diff --git a/SOURCES/CVE-2020-11619.patch b/SOURCES/CVE-2020-11619.patch new file mode 100644 index 0000000..cc5d5c9 --- /dev/null +++ b/SOURCES/CVE-2020-11619.patch @@ -0,0 +1,18 @@ + +https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-11619 + +https://github.com/FasterXML/jackson-databind/commit/113e89fb08b1b6b072d60b3e4737ed407c13db9a + +--- jackson-databind-jackson-databind-2.7.6/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java.cve11619 ++++ jackson-databind-jackson-databind-2.7.6/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +@@ -45,6 +45,10 @@ + // [databind#1737]; 3rd party + //s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); // deprecated by [databind#1855] + s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean"); ++ // [databind#2680] ++ s.add("org.springframework.aop.config.MethodLocatingFactoryBean"); ++ s.add("org.springframework.beans.factory.config.BeanReferenceFactoryBean"); ++ + s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); + s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); + // [databind#1855]: more 3rd party diff --git a/SOURCES/CVE-2020-11620.patch b/SOURCES/CVE-2020-11620.patch new file mode 100644 index 0000000..d3ff609 --- /dev/null +++ b/SOURCES/CVE-2020-11620.patch @@ -0,0 +1,17 @@ + +https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-11620 + +https://github.com/FasterXML/jackson-databind/commit/77040d85e3eb6710508e6445640ae1a3d5e60c22 + +--- jackson-databind-jackson-databind-2.7.6/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java.cve11620 ++++ jackson-databind-jackson-databind-2.7.6/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +@@ -107,6 +107,9 @@ + // [databind#2666]: apache/commons-jms + s.add("org.apache.commons.proxy.provider.remoting.RmiProvider"); + ++ // [databind#2682]: commons-jelly ++ s.add("org.apache.commons.jelly.impl.Embedded"); ++ + DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); + } + diff --git a/SPECS/jackson-databind.spec b/SPECS/jackson-databind.spec index a4d7de2..36c6d6f 100644 --- a/SPECS/jackson-databind.spec +++ b/SPECS/jackson-databind.spec @@ -3,7 +3,7 @@ Name: %{?scl_prefix}jackson-databind Version: 2.7.6 -Release: 2.9%{?dist} +Release: 2.10%{?dist} Summary: General data-binding package for Jackson (2.x) License: ASL 2.0 and LGPLv2+ URL: http://wiki.fasterxml.com/JacksonHome @@ -26,6 +26,8 @@ Patch14: CVE-2019-12384.patch Patch15: CVE-2019-14379.patch Patch16: CVE-2019-17531.patch Patch17: CVE-2020_10969-11113-10968-11111-11112.patch +Patch18: CVE-2020-11619.patch +Patch19: CVE-2020-11620.patch BuildRequires: %{?scl_prefix}maven-local BuildRequires: %{?scl_prefix}mvn(com.fasterxml.jackson:jackson-parent:pom:) @@ -68,6 +70,8 @@ This package contains javadoc for %{pkg_name}. %patch15 -p1 %patch16 -p1 %patch17 -p1 +%patch18 -p1 +%patch19 -p1 cp -p src/main/resources/META-INF/LICENSE . cp -p src/main/resources/META-INF/NOTICE . @@ -106,6 +110,9 @@ rm src/test/java/com/fasterxml/jackson/databind/ser/TestJdkTypes.java \ %license LICENSE NOTICE %changelog +* Mon May 18 2020 Joe Orton - 2.7.6-2.10 +- Resolves: CVE-2020-11619, CVE-2020-11620 + * Tue Apr 14 2020 Marian Koncek - 2.7.6-2.9 - Fix security vulnerabilities - Resolves: CVE-2020-10969, CVE-2020-11113, CVE-2020-10968, CVE-2020-11111,