diff --git a/SOURCES/CVE-2019-12384.patch b/SOURCES/CVE-2019-12384.patch new file mode 100644 index 0000000..18fd974 --- /dev/null +++ b/SOURCES/CVE-2019-12384.patch @@ -0,0 +1,19 @@ +From c9ef4a10d6f6633cf470d6a469514b68fa2be234 Mon Sep 17 00:00:00 2001 +From: Tatu Saloranta +Date: Wed, 12 Jun 2019 22:20:12 -0700 +Subject: [PATCH] Fix #2334 + +diff -uap jackson-databind-jackson-databind-2.7.6/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java.orig jackson-databind-jackson-databind-2.7.6/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +--- jackson-databind-jackson-databind-2.7.6/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java.orig 2019-07-10 09:33:56.504230811 +0100 ++++ jackson-databind-jackson-databind-2.7.6/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java 2019-07-10 09:37:41.094929667 +0100 +@@ -72,6 +72,10 @@ public class SubTypeValidator + s.add("org.apache.openjpa.ee.JNDIManagedRuntime"); + // CVE-2018-19362 + s.add("org.jboss.util.propertyeditor.DocumentEditor"); ++ ++ // [databind#2334] (2.9.9.1): logback-core ++ s.add("ch.qos.logback.core.db.DriverManagerConnectionSource"); ++ + DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); + } + diff --git a/SPECS/jackson-databind.spec b/SPECS/jackson-databind.spec index db71a98..c9746b9 100644 --- a/SPECS/jackson-databind.spec +++ b/SPECS/jackson-databind.spec @@ -3,7 +3,7 @@ Name: %{?scl_prefix}jackson-databind Version: 2.7.6 -Release: 2.5%{?dist} +Release: 2.6%{?dist} Summary: General data-binding package for Jackson (2.x) License: ASL 2.0 and LGPLv2+ URL: http://wiki.fasterxml.com/JacksonHome @@ -22,6 +22,7 @@ Patch10: CVE-2018-14721.patch Patch11: CVE-2018-19360.patch Patch12: CVE-2018-19361.patch Patch13: CVE-2018-19362.patch +Patch14: CVE-2019-12384.patch BuildRequires: %{?scl_prefix}maven-local BuildRequires: %{?scl_prefix}mvn(com.fasterxml.jackson:jackson-parent:pom:) @@ -60,6 +61,7 @@ This package contains javadoc for %{pkg_name}. %patch11 -p1 %patch12 -p1 %patch13 -p1 +%patch14 -p1 cp -p src/main/resources/META-INF/LICENSE . cp -p src/main/resources/META-INF/NOTICE . @@ -98,6 +100,9 @@ rm src/test/java/com/fasterxml/jackson/databind/ser/TestJdkTypes.java \ %license LICENSE NOTICE %changelog +* Wed Jul 10 2019 Joe Orton - 2.7.6-2.6 +- fix CVE-2019-12384 + * Tue Apr 02 2019 Mikolaj Izdebski - 2.7.6-2.5 - Fix various security flaws - Resolves: CVE-2018-11307, CVE-2018-12022, CVE-2018-12023,