packages/jackson-databind
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!26 fix CVE-2021-20190

Browse Source 
From: @wang_yue111
Reviewed-by: @wangxiao65,@small_leek,@wangchong1995924
Signed-off-by: @small_leek,@wangchong1995924
This commit is contained in:
openeuler-ci-bot 2021-01-28 09:30:44 +08:00 committed by Gitee
commit 4750555466
2 changed files with 28 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
CVE-2021-20190.patch Normal file
View File

@ -0,0 +1,23 @@
From 7dbf51bf78d157098074a20bd9da39bd48c18e4a Mon Sep 17 00:00:00 2001
From: Tatu Saloranta <tatu.saloranta@iki.fi>
Date: Thu, 17 Sep 2020 20:11:25 -0700
Subject: [PATCH] Fix #2854
---
.../jackson/databind/jsontype/impl/SubTypeValidator.java | 3 ++-
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
index dc706429cf..a8b5cb1ba3 100644
--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -143,8 +143,9 @@
// [databind#2814]: anteros-dbcp
s.add("br.com.anteros.dbcp.AnterosDBCPDataSource");
- // [databind#2642]: javax.swing (jdk)
+ // [databind#2642][databind#2854]: javax.swing (jdk)
s.add("javax.swing.JEditorPane");
+ s.add("javax.swing.JTextPane");
// [databind#2648], [databind#2653]: shire-core
s.add("org.apache.shiro.realm.jndi.JndiRealmFactory");

6
jackson-databind.spec
View File

@ -1,6 +1,6 @@
Name: jackson-databind Name: jackson-databind
Version: 2.9.8 Version: 2.9.8
Release: 7 Release: 8
Summary: General data-binding package for Jackson (2.x) Summary: General data-binding package for Jackson (2.x)
License: ASL 2.0 and LGPLv2+ License: ASL 2.0 and LGPLv2+
URL: https://github.com/FasterXML/jackson-databind/ URL: https://github.com/FasterXML/jackson-databind/
@ -46,6 +46,7 @@ Patch0037: CVE-2020-36187-CVE-2020-36186.patch
#The CVE-2020-36179-36180-36181-36182.patch is used to fix CVE-2020-36179 and CVE-2020-36180 and CVE-2020-36181 and CVE-2020-36182 #The CVE-2020-36179-36180-36181-36182.patch is used to fix CVE-2020-36179 and CVE-2020-36180 and CVE-2020-36181 and CVE-2020-36182
Patch0038: CVE-2020-36179-36180-36181-36182.patch Patch0038: CVE-2020-36179-36180-36181-36182.patch
Patch0039: CVE-2020-36183.patch Patch0039: CVE-2020-36183.patch
Patch0040: CVE-2021-20190.patch
BuildRequires: maven-local mvn(com.fasterxml.jackson.core:jackson-annotations) >= %{version} BuildRequires: maven-local mvn(com.fasterxml.jackson.core:jackson-annotations) >= %{version}
BuildRequires: mvn(com.fasterxml.jackson.core:jackson-core) >= %{version} BuildRequires: mvn(com.fasterxml.jackson.core:jackson-core) >= %{version}
@ -98,6 +99,9 @@ rm src/test/java/com/fasterxml/jackson/databind/ser/jdk/JDKTypeSerializationTest
%license LICENSE NOTICE %license LICENSE NOTICE
%changelog %changelog
* Wed Jan 27 2021 wangyue <wangyue92@huawei.com> - 2.9.8-8
- fix CVE-2021-20190
* Fri Jan 22 2021 wangyue <wangyue92@huawei.com> - 2.9.8-7 * Fri Jan 22 2021 wangyue <wangyue92@huawei.com> - 2.9.8-7
- fix CVE-2020-36179 CVE-2020-36180 CVE-2020-36181 - fix CVE-2020-36179 CVE-2020-36180 CVE-2020-36181
CVE-2020-36182 CVE-2020-36183 CVE-2020-36184 CVE-2020-36182 CVE-2020-36183 CVE-2020-36184