diff --git a/SOURCES/CVE-2018-11307.patch b/SOURCES/CVE-2018-11307.patch new file mode 100644 index 0000000..02b4311 --- /dev/null +++ b/SOURCES/CVE-2018-11307.patch @@ -0,0 +1,25 @@ +From b91f67aa5af70e694e3f9a7625fb62a24bdeb0ac Mon Sep 17 00:00:00 2001 +From: Mikolaj Izdebski +Date: Tue, 2 Apr 2019 13:56:53 +0200 +Subject: [PATCH 05/14] CVE-2018-11307 + +--- + .../jackson/databind/jsontype/impl/SubTypeValidator.java | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +index 09692d5d7..c8457b29e 100644 +--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java ++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +@@ -50,6 +50,8 @@ public class SubTypeValidator + // [databind#1855]: more 3rd party + s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource"); + s.add("com.sun.org.apache.bcel.internal.util.ClassLoader"); ++ // CVE-2018-11307 ++ s.add("org.apache.ibatis.parsing.XPathParser"); + DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); + } + +-- +2.20.1 + diff --git a/SOURCES/CVE-2018-12022.patch b/SOURCES/CVE-2018-12022.patch new file mode 100644 index 0000000..6a4e24c --- /dev/null +++ b/SOURCES/CVE-2018-12022.patch @@ -0,0 +1,25 @@ +From d4689ae4bae7e451b9a6e8720aa0e4f58ca2e2bc Mon Sep 17 00:00:00 2001 +From: Mikolaj Izdebski +Date: Tue, 2 Apr 2019 13:57:10 +0200 +Subject: [PATCH 06/14] CVE-2018-12022 + +--- + .../jackson/databind/jsontype/impl/SubTypeValidator.java | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +index c8457b29e..e325f2736 100644 +--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java ++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +@@ -52,6 +52,8 @@ public class SubTypeValidator + s.add("com.sun.org.apache.bcel.internal.util.ClassLoader"); + // CVE-2018-11307 + s.add("org.apache.ibatis.parsing.XPathParser"); ++ // CVE-2018-12022 ++ s.add("jodd.db.connection.DataSourceConnectionProvider"); + DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); + } + +-- +2.20.1 + diff --git a/SOURCES/CVE-2018-12023.patch b/SOURCES/CVE-2018-12023.patch new file mode 100644 index 0000000..9d6be1d --- /dev/null +++ b/SOURCES/CVE-2018-12023.patch @@ -0,0 +1,26 @@ +From 5391a03f9e6458ff61edd46ee8c581736f0696c2 Mon Sep 17 00:00:00 2001 +From: Mikolaj Izdebski +Date: Tue, 2 Apr 2019 13:57:49 +0200 +Subject: [PATCH 07/14] CVE-2018-12023 + +--- + .../jackson/databind/jsontype/impl/SubTypeValidator.java | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +index e325f2736..3a480272e 100644 +--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java ++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +@@ -54,6 +54,9 @@ public class SubTypeValidator + s.add("org.apache.ibatis.parsing.XPathParser"); + // CVE-2018-12022 + s.add("jodd.db.connection.DataSourceConnectionProvider"); ++ // CVE-2018-12023 ++ s.add("oracle.jdbc.connector.OracleManagedConnectionFactory"); ++ s.add("oracle.jdbc.rowset.OracleJDBCRowSet"); + DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); + } + +-- +2.20.1 + diff --git a/SOURCES/CVE-2018-14718.patch b/SOURCES/CVE-2018-14718.patch new file mode 100644 index 0000000..4ccade7 --- /dev/null +++ b/SOURCES/CVE-2018-14718.patch @@ -0,0 +1,25 @@ +From 260944ec36d41076365d5ebf8f54cba2189a480f Mon Sep 17 00:00:00 2001 +From: Mikolaj Izdebski +Date: Tue, 2 Apr 2019 13:58:09 +0200 +Subject: [PATCH 08/14] CVE-2018-14718 + +--- + .../jackson/databind/jsontype/impl/SubTypeValidator.java | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +index 3a480272e..ba6d48cd3 100644 +--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java ++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +@@ -57,6 +57,8 @@ public class SubTypeValidator + // CVE-2018-12023 + s.add("oracle.jdbc.connector.OracleManagedConnectionFactory"); + s.add("oracle.jdbc.rowset.OracleJDBCRowSet"); ++ // CVE-2018-14718 ++ s.add("org.slf4j.ext.EventData"); + DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); + } + +-- +2.20.1 + diff --git a/SOURCES/CVE-2018-14719.patch b/SOURCES/CVE-2018-14719.patch new file mode 100644 index 0000000..da70714 --- /dev/null +++ b/SOURCES/CVE-2018-14719.patch @@ -0,0 +1,25 @@ +From c06874c1856b11fee6a4d5ba62f0d33f4231e7f5 Mon Sep 17 00:00:00 2001 +From: Mikolaj Izdebski +Date: Tue, 2 Apr 2019 13:58:49 +0200 +Subject: [PATCH 09/14] CVE-2018-14719 + +--- + .../jackson/databind/jsontype/impl/SubTypeValidator.java | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +index ba6d48cd3..ff486440a 100644 +--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java ++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +@@ -59,6 +59,8 @@ public class SubTypeValidator + s.add("oracle.jdbc.rowset.OracleJDBCRowSet"); + // CVE-2018-14718 + s.add("org.slf4j.ext.EventData"); ++ // CVE-2018-14719 ++ s.add("flex.messaging.util.concurrent.AsynchBeansWorkManagerExecutor"); + DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); + } + +-- +2.20.1 + diff --git a/SOURCES/CVE-2018-14720.patch b/SOURCES/CVE-2018-14720.patch new file mode 100644 index 0000000..9322b35 --- /dev/null +++ b/SOURCES/CVE-2018-14720.patch @@ -0,0 +1,25 @@ +From e263f240834702bb9a6c9701eef7000a87f11dd2 Mon Sep 17 00:00:00 2001 +From: Mikolaj Izdebski +Date: Tue, 2 Apr 2019 13:59:12 +0200 +Subject: [PATCH 10/14] CVE-2018-14720 + +--- + .../jackson/databind/jsontype/impl/SubTypeValidator.java | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +index ff486440a..ac63c2607 100644 +--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java ++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +@@ -61,6 +61,8 @@ public class SubTypeValidator + s.add("org.slf4j.ext.EventData"); + // CVE-2018-14719 + s.add("flex.messaging.util.concurrent.AsynchBeansWorkManagerExecutor"); ++ // CVE-2018-14720 ++ s.add("com.sun.deploy.security.ruleset.DRSHelper"); + DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); + } + +-- +2.20.1 + diff --git a/SOURCES/CVE-2018-14721.patch b/SOURCES/CVE-2018-14721.patch new file mode 100644 index 0000000..3ba93dd --- /dev/null +++ b/SOURCES/CVE-2018-14721.patch @@ -0,0 +1,25 @@ +From 10e551d5e6a7553076000fd64d5cf149afe453d4 Mon Sep 17 00:00:00 2001 +From: Mikolaj Izdebski +Date: Tue, 2 Apr 2019 13:59:25 +0200 +Subject: [PATCH 11/14] CVE-2018-14721 + +--- + .../jackson/databind/jsontype/impl/SubTypeValidator.java | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +index ac63c2607..84c0c1d17 100644 +--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java ++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +@@ -63,6 +63,8 @@ public class SubTypeValidator + s.add("flex.messaging.util.concurrent.AsynchBeansWorkManagerExecutor"); + // CVE-2018-14720 + s.add("com.sun.deploy.security.ruleset.DRSHelper"); ++ // CVE-2018-14721 ++ s.add("org.apache.axis2.jaxws.spi.handler.HandlerResolverImpl"); + DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); + } + +-- +2.20.1 + diff --git a/SOURCES/CVE-2018-19360.patch b/SOURCES/CVE-2018-19360.patch new file mode 100644 index 0000000..0653105 --- /dev/null +++ b/SOURCES/CVE-2018-19360.patch @@ -0,0 +1,25 @@ +From b1cb9fbc918bae0b57aa8dacf6471d6dbc8b85b8 Mon Sep 17 00:00:00 2001 +From: Mikolaj Izdebski +Date: Tue, 2 Apr 2019 13:59:41 +0200 +Subject: [PATCH 12/14] CVE-2018-19360 + +--- + .../jackson/databind/jsontype/impl/SubTypeValidator.java | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +index 84c0c1d17..686ed1d42 100644 +--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java ++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +@@ -65,6 +65,8 @@ public class SubTypeValidator + s.add("com.sun.deploy.security.ruleset.DRSHelper"); + // CVE-2018-14721 + s.add("org.apache.axis2.jaxws.spi.handler.HandlerResolverImpl"); ++ // CVE-2018-19360 ++ s.add("org.apache.axis2.transport.jms.JMSOutTransportInfo"); + DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); + } + +-- +2.20.1 + diff --git a/SOURCES/CVE-2018-19361.patch b/SOURCES/CVE-2018-19361.patch new file mode 100644 index 0000000..919a46b --- /dev/null +++ b/SOURCES/CVE-2018-19361.patch @@ -0,0 +1,26 @@ +From 568e26502f2b20b5d60d832b6098c7efe6a37d50 Mon Sep 17 00:00:00 2001 +From: Mikolaj Izdebski +Date: Tue, 2 Apr 2019 13:59:58 +0200 +Subject: [PATCH 13/14] CVE-2018-19361 + +--- + .../jackson/databind/jsontype/impl/SubTypeValidator.java | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +index 686ed1d42..8b3319b54 100644 +--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java ++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +@@ -67,6 +67,9 @@ public class SubTypeValidator + s.add("org.apache.axis2.jaxws.spi.handler.HandlerResolverImpl"); + // CVE-2018-19360 + s.add("org.apache.axis2.transport.jms.JMSOutTransportInfo"); ++ // CVE-2018-19361 ++ s.add("org.apache.openjpa.ee.RegistryManagedRuntime"); ++ s.add("org.apache.openjpa.ee.JNDIManagedRuntime"); + DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); + } + +-- +2.20.1 + diff --git a/SOURCES/CVE-2018-19362.patch b/SOURCES/CVE-2018-19362.patch new file mode 100644 index 0000000..d8e88c5 --- /dev/null +++ b/SOURCES/CVE-2018-19362.patch @@ -0,0 +1,25 @@ +From db7d2b4818b67564cf20b0478d1416655d255528 Mon Sep 17 00:00:00 2001 +From: Mikolaj Izdebski +Date: Tue, 2 Apr 2019 14:00:12 +0200 +Subject: [PATCH 14/14] CVE-2018-19362 + +--- + .../jackson/databind/jsontype/impl/SubTypeValidator.java | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +index 8b3319b54..3c288e605 100644 +--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java ++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +@@ -70,6 +70,8 @@ public class SubTypeValidator + // CVE-2018-19361 + s.add("org.apache.openjpa.ee.RegistryManagedRuntime"); + s.add("org.apache.openjpa.ee.JNDIManagedRuntime"); ++ // CVE-2018-19362 ++ s.add("org.jboss.util.propertyeditor.DocumentEditor"); + DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); + } + +-- +2.20.1 + diff --git a/SPECS/jackson-databind.spec b/SPECS/jackson-databind.spec index 7925327..db71a98 100644 --- a/SPECS/jackson-databind.spec +++ b/SPECS/jackson-databind.spec @@ -3,7 +3,7 @@ Name: %{?scl_prefix}jackson-databind Version: 2.7.6 -Release: 2.4%{?dist} +Release: 2.5%{?dist} Summary: General data-binding package for Jackson (2.x) License: ASL 2.0 and LGPLv2+ URL: http://wiki.fasterxml.com/JacksonHome @@ -12,6 +12,16 @@ Patch0: CVE-2017-7525.patch Patch1: CVE-2017-15095.patch Patch2: CVE-2017-17485-1.patch Patch3: CVE-2017-17485-2.patch +Patch4: CVE-2018-11307.patch +Patch5: CVE-2018-12022.patch +Patch6: CVE-2018-12023.patch +Patch7: CVE-2018-14718.patch +Patch8: CVE-2018-14719.patch +Patch9: CVE-2018-14720.patch +Patch10: CVE-2018-14721.patch +Patch11: CVE-2018-19360.patch +Patch12: CVE-2018-19361.patch +Patch13: CVE-2018-19362.patch BuildRequires: %{?scl_prefix}maven-local BuildRequires: %{?scl_prefix}mvn(com.fasterxml.jackson:jackson-parent:pom:) @@ -40,6 +50,16 @@ This package contains javadoc for %{pkg_name}. %patch1 %patch2 -p1 %patch3 -p1 +%patch4 -p1 +%patch5 -p1 +%patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 +%patch11 -p1 +%patch12 -p1 +%patch13 -p1 cp -p src/main/resources/META-INF/LICENSE . cp -p src/main/resources/META-INF/NOTICE . @@ -78,6 +98,12 @@ rm src/test/java/com/fasterxml/jackson/databind/ser/TestJdkTypes.java \ %license LICENSE NOTICE %changelog +* Tue Apr 02 2019 Mikolaj Izdebski - 2.7.6-2.5 +- Fix various security flaws +- Resolves: CVE-2018-11307, CVE-2018-12022, CVE-2018-12023, + CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, CVE-2018-14721, + CVE-2018-19360, CVE-2018-19361, CVE-2018-19362 + * Wed Jan 31 2018 Mikolaj Izdebski - 2.7.6-2.4 - Fix deserialization vulnerability - Resolves: CVE-2017-17485