From 6a8cc2a428154e9870ab9b8af584ee6ec3ea9cff Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: May 26 2020 15:25:53 +0000
Subject: import rh-maven35-jackson-databind-2.7.6-2.10.el7


---

diff --git a/SOURCES/CVE-2020-11619.patch b/SOURCES/CVE-2020-11619.patch
new file mode 100644
index 0000000..cc5d5c9
--- /dev/null
+++ b/SOURCES/CVE-2020-11619.patch
@@ -0,0 +1,18 @@
+
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-11619
+
+https://github.com/FasterXML/jackson-databind/commit/113e89fb08b1b6b072d60b3e4737ed407c13db9a
+
+--- jackson-databind-jackson-databind-2.7.6/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java.cve11619
++++ jackson-databind-jackson-databind-2.7.6/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -45,6 +45,10 @@
+         // [databind#1737]; 3rd party
+ //s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); // deprecated by [databind#1855]
+         s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
++        // [databind#2680]
++        s.add("org.springframework.aop.config.MethodLocatingFactoryBean");
++        s.add("org.springframework.beans.factory.config.BeanReferenceFactoryBean");
++        
+         s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
+         s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
+         // [databind#1855]: more 3rd party
diff --git a/SOURCES/CVE-2020-11620.patch b/SOURCES/CVE-2020-11620.patch
new file mode 100644
index 0000000..d3ff609
--- /dev/null
+++ b/SOURCES/CVE-2020-11620.patch
@@ -0,0 +1,17 @@
+
+https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-11620
+
+https://github.com/FasterXML/jackson-databind/commit/77040d85e3eb6710508e6445640ae1a3d5e60c22
+
+--- jackson-databind-jackson-databind-2.7.6/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java.cve11620
++++ jackson-databind-jackson-databind-2.7.6/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -107,6 +107,9 @@
+         // [databind#2666]: apache/commons-jms
+         s.add("org.apache.commons.proxy.provider.remoting.RmiProvider");
+ 
++        // [databind#2682]: commons-jelly
++        s.add("org.apache.commons.jelly.impl.Embedded");
++
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
+ 
diff --git a/SPECS/jackson-databind.spec b/SPECS/jackson-databind.spec
index a4d7de2..36c6d6f 100644
--- a/SPECS/jackson-databind.spec
+++ b/SPECS/jackson-databind.spec
@@ -3,7 +3,7 @@
 
 Name:          %{?scl_prefix}jackson-databind
 Version:       2.7.6
-Release:       2.9%{?dist}
+Release:       2.10%{?dist}
 Summary:       General data-binding package for Jackson (2.x)
 License:       ASL 2.0 and LGPLv2+
 URL:           http://wiki.fasterxml.com/JacksonHome
@@ -26,6 +26,8 @@ Patch14:       CVE-2019-12384.patch
 Patch15:       CVE-2019-14379.patch
 Patch16:       CVE-2019-17531.patch
 Patch17:       CVE-2020_10969-11113-10968-11111-11112.patch
+Patch18:       CVE-2020-11619.patch
+Patch19:       CVE-2020-11620.patch
 
 BuildRequires: %{?scl_prefix}maven-local
 BuildRequires: %{?scl_prefix}mvn(com.fasterxml.jackson:jackson-parent:pom:)
@@ -68,6 +70,8 @@ This package contains javadoc for %{pkg_name}.
 %patch15 -p1
 %patch16 -p1
 %patch17 -p1
+%patch18 -p1
+%patch19 -p1
 
 cp -p src/main/resources/META-INF/LICENSE .
 cp -p src/main/resources/META-INF/NOTICE .
@@ -106,6 +110,9 @@ rm src/test/java/com/fasterxml/jackson/databind/ser/TestJdkTypes.java \
 %license LICENSE NOTICE
 
 %changelog
+* Mon May 18 2020 Joe Orton <jorton@redhat.com> - 2.7.6-2.10
+- Resolves: CVE-2020-11619, CVE-2020-11620
+
 * Tue Apr 14 2020 Marian Koncek <mkoncek@redhat.com> - 2.7.6-2.9
 - Fix security vulnerabilities
 - Resolves: CVE-2020-10969, CVE-2020-11113, CVE-2020-10968, CVE-2020-11111,