From 18d17b80734c2448be7a74527895b698abd63736 Mon Sep 17 00:00:00 2001 From: wangxiao65 <287608437@qq.com> Date: Mon, 11 Jan 2021 11:51:43 +0800 Subject: [PATCH] fix CVE-2020-35490 CVE-2020-35491 CVE-2020-35728 --- CVE-2020-35490-CVE-2020-35491.patch | 25 +++++++++++++++++++++++++ CVE-2020-35728.patch | 24 ++++++++++++++++++++++++ jackson-databind.spec | 7 ++++++- 3 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 CVE-2020-35490-CVE-2020-35491.patch create mode 100644 CVE-2020-35728.patch diff --git a/CVE-2020-35490-CVE-2020-35491.patch b/CVE-2020-35490-CVE-2020-35491.patch new file mode 100644 index 0000000..1e904b0 --- /dev/null +++ b/CVE-2020-35490-CVE-2020-35491.patch @@ -0,0 +1,25 @@ +From 41b8bdb5ccc1d8edb71acf1c8234da235a24249d Mon Sep 17 00:00:00 2001 +From: Tatu Saloranta +Date: Tue, 15 Dec 2020 17:27:03 -0800 +Subject: [PATCH] Fixed #2986 + +--- + .../jackson/databind/jsontype/impl/SubTypeValidator.java | 4 ++++ + 1 files changed, 4 insertions(+) + +diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +index a8b5cb1ba3..6e007b9c24 100644 +--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java ++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java + +@@ -202,6 +202,10 @@ public class SubTypeValidator + // [databind#2798]: com.pastdev.httpcomponents: + s.add("com.pastdev.httpcomponents.configuration.JndiConfiguration"); + ++ // [databind#2986]: dbcp2 ++ s.add("org.apache.commons.dbcp2.datasources.PerUserPoolDataSource"); ++ s.add("org.apache.commons.dbcp2.datasources.SharedPoolDataSource"); ++ + DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); + } + diff --git a/CVE-2020-35728.patch b/CVE-2020-35728.patch new file mode 100644 index 0000000..43aae3c --- /dev/null +++ b/CVE-2020-35728.patch @@ -0,0 +1,24 @@ +From 1ca0388c2fb37ac6a06f1c188ae89c41e3e15e84 Mon Sep 17 00:00:00 2001 +From: Tatu Saloranta +Date: Sat, 26 Dec 2020 14:20:53 -0800 +Subject: [PATCH] Fixed #2999 + +--- + .../jackson/databind/jsontype/impl/SubTypeValidator.java | 4 ++++ + 1 files changed, 4 insertions(+) + +diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +index f044a6cbdf..0ec8a75bae 100644 +--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java ++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +@@ -206,6 +206,10 @@ public class SubTypeValidator + s.add("org.apache.commons.dbcp2.datasources.PerUserPoolDataSource"); + s.add("org.apache.commons.dbcp2.datasources.SharedPoolDataSource"); + ++ // [databind#2999]: org.glassfish.web/javax.servlet.jsp.jstl (embedded Xalan) ++ // (derivative of #2469) ++ s.add("com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool"); ++ + DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); + } + diff --git a/jackson-databind.spec b/jackson-databind.spec index 2405a52..05c9a11 100644 --- a/jackson-databind.spec +++ b/jackson-databind.spec @@ -1,6 +1,6 @@ Name: jackson-databind Version: 2.9.8 -Release: 3 +Release: 4 Summary: General data-binding package for Jackson (2.x) License: ASL 2.0 and LGPLv2+ URL: https://github.com/FasterXML/jackson-databind/ @@ -38,6 +38,8 @@ Patch0029: CVE-2020-14195.patch Patch0030: CVE-2020-24750.patch Patch0031: CVE-2020-24616.patch Patch0032: CVE-2020-25649.patch +Patch0033: CVE-2020-35490-CVE-2020-35491.patch +Patch0034: CVE-2020-35728.patch BuildRequires: maven-local mvn(com.fasterxml.jackson.core:jackson-annotations) >= %{version} BuildRequires: mvn(com.fasterxml.jackson.core:jackson-core) >= %{version} @@ -90,6 +92,9 @@ rm src/test/java/com/fasterxml/jackson/databind/ser/jdk/JDKTypeSerializationTest %license LICENSE NOTICE %changelog +* Mon Jan 11 2021 wangxiao - 2.9.8-4 +- fix CVE-2020-35490 CVE-2020-35491 CVE-2020-35728 + * Sat Dec 12 2020 zhanghua - 2.9.8-3 - fix CVE-2020-25649