fix CVE-2020-35490 CVE-2020-35491 CVE-2020-35728

CVE-2020-35490-CVE-2020-35491.patch

@@ -0,0 +1,25 @@
+From 41b8bdb5ccc1d8edb71acf1c8234da235a24249d Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Tue, 15 Dec 2020 17:27:03 -0800
+Subject: [PATCH] Fixed #2986
+
+---
+ .../jackson/databind/jsontype/impl/SubTypeValidator.java     | 4 ++++
+ 1 files changed, 4 insertions(+)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index a8b5cb1ba3..6e007b9c24 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+
+@@ -202,6 +202,10 @@ public class SubTypeValidator
+         // [databind#2798]: com.pastdev.httpcomponents:
+         s.add("com.pastdev.httpcomponents.configuration.JndiConfiguration");
+         
++        // [databind#2986]: dbcp2
++        s.add("org.apache.commons.dbcp2.datasources.PerUserPoolDataSource");
++        s.add("org.apache.commons.dbcp2.datasources.SharedPoolDataSource");
++
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
+

CVE-2020-35728.patch

@@ -0,0 +1,24 @@
+From 1ca0388c2fb37ac6a06f1c188ae89c41e3e15e84 Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Sat, 26 Dec 2020 14:20:53 -0800
+Subject: [PATCH] Fixed #2999
+
+---
+ .../jackson/databind/jsontype/impl/SubTypeValidator.java      | 4 ++++
+ 1 files changed, 4 insertions(+)
+ 
+diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index f044a6cbdf..0ec8a75bae 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -206,6 +206,10 @@ public class SubTypeValidator
+         s.add("org.apache.commons.dbcp2.datasources.PerUserPoolDataSource");
+         s.add("org.apache.commons.dbcp2.datasources.SharedPoolDataSource");
+ 
++        // [databind#2999]: org.glassfish.web/javax.servlet.jsp.jstl (embedded Xalan)
++        // (derivative of #2469)
++        s.add("com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool");
++
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
+ 

jackson-databind.spec

@@ -1,6 +1,6 @@
 Name:                jackson-databind
 Version:             2.9.8
-Release:             3
+Release:             4
 Summary:             General data-binding package for Jackson (2.x)
 License:             ASL 2.0 and LGPLv2+
 URL:                 https://github.com/FasterXML/jackson-databind/
@@ -38,6 +38,8 @@ Patch0029:           CVE-2020-14195.patch
 Patch0030:           CVE-2020-24750.patch
 Patch0031:           CVE-2020-24616.patch
 Patch0032:           CVE-2020-25649.patch
+Patch0033:           CVE-2020-35490-CVE-2020-35491.patch
+Patch0034:           CVE-2020-35728.patch
 
 BuildRequires:       maven-local mvn(com.fasterxml.jackson.core:jackson-annotations) >= %{version}
 BuildRequires:       mvn(com.fasterxml.jackson.core:jackson-core) >= %{version}
@@ -90,6 +92,9 @@ rm src/test/java/com/fasterxml/jackson/databind/ser/jdk/JDKTypeSerializationTest
 %license LICENSE NOTICE
 
 %changelog
+* Mon Jan 11 2021 wangxiao <wangxiao65@huawei.com> - 2.9.8-4
+- fix CVE-2020-35490 CVE-2020-35491 CVE-2020-35728
+
 * Sat Dec 12 2020 zhanghua <zhanghua40@huawei.com> - 2.9.8-3
 - fix CVE-2020-25649