!1 upgrade to 2.9.8

Merge pull request !1 from jackie_wu123/master

CVE-2018-7489.patch

@@ -1,58 +0,0 @@
-diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
-index 164ab3454..bdd3b2f4e 100644
---- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
-+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
-@@ -19,7 +19,10 @@ import com.fasterxml.jackson.databind.JsonMappingException;
-  */
- public class SubTypeValidator
- {
--    protected final static String PREFIX_STRING = "org.springframework.";
-+    protected final static String PREFIX_SPRING = "org.springframework.";
-+
-+    protected final static String PREFIX_C3P0 = "com.mchange.v2.c3p0.";
-+
-     /**
-      * Set of well-known "nasty classes", deserialization of which is considered dangerous
-      * and should (and is) prevented by default.
-@@ -46,8 +49,9 @@ public class SubTypeValidator
-         // [databind#1737]; 3rd party
- //s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); // deprecated by [databind#1855]
-         s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
--        s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
--        s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
-+
-+// s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); // deprecated by [databind#1931]
-+// s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); // - "" -
-         // [databind#1855]: more 3rd party
-         s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");
-         s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");
-@@ -86,8 +90,10 @@ public class SubTypeValidator
-             // 18-Dec-2017, tatu: As per [databind#1855], need bit more sophisticated handling
-             //    for some Spring framework types
-             // 05-Jan-2017, tatu: ... also, only applies to classes, not interfaces
--            if (!raw.isInterface() && full.startsWith(PREFIX_STRING)) {
--                for (Class<?> cls = raw; (cls != null) && (cls != Object.class); cls = cls.getSuperclass()) {
-+            if (raw.isInterface()) {
-+                ;
-+            } else if (full.startsWith(PREFIX_SPRING)) {
-+                for (Class<?> cls = raw; (cls != null) && (cls != Object.class); cls = cls.getSuperclass()){
-                     String name = cls.getSimpleName();
-                     // looking for "AbstractBeanFactoryPointcutAdvisor" but no point to allow any is there?
-                     if ("AbstractPointcutAdvisor".equals(name)
-@@ -96,6 +102,16 @@ public class SubTypeValidator
-                         break main_check;
-                     }
-                 }
-+            } else if (full.startsWith(PREFIX_C3P0)) {
-+                // [databind#1737]; more 3rd party
-+                // s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
-+                // s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
-+                // [databind#1931]; more 3rd party
-+                // com.mchange.v2.c3p0.ComboPooledDataSource
-+                // com.mchange.v2.c3p0.debug.AfterCloseLoggingComboPooledDataSource 
-+                if (full.endsWith("DataSource")) {
-+                    break main_check;
-+                }
-             }
-             return;
-         } while (false);

jackson-databind.spec

@@ -1,52 +1,45 @@
-%global main_res_dir src/main/resources/META-INF
-%global test_com_dir src/test/java/com/fasterxml/jackson/databind
-
-Name:          jackson-databind
-Version:       2.9.4
-Release:       5
-Summary:       General data-binding package for Jackson (2.x)
-License:       ASL 2.0 and LGPLv2+
-URL:           https://github.com/FasterXML/jackson-databind/
-Source0:       https://github.com/FasterXML/jackson-databind/archive/%{name}-%{version}.tar.gz
-Patch0:        CVE-2018-7489.patch
-
-BuildRequires:  mvn(org.powermock:powermock-module-junit4)
-BuildRequires:  mvn(org.powermock:powermock-api-mockito)
-BuildRequires:  mvn(org.apache.felix:maven-bundle-plugin)
-BuildRequires:  mvn(com.google.code.maven-replacer-plugin:replacer)
-BuildRequires:  mvn(com.fasterxml.jackson:jackson-base:pom:) >= %{version}
-BuildRequires:  mvn(com.fasterxml.jackson.core:jackson-core) >= %{version}
-BuildRequires:  mvn(com.fasterxml.jackson.core:jackson-annotations) >= %{version}
-BuildRequires:  maven-local
-
-BuildArch:      noarch
-
-Provides:       jackson-core-javadoc
-Obsoletes:      jackson-core-javadoc
-
+Name:                jackson-databind
+Version:             2.9.8
+Release:             1
+Summary:             General data-binding package for Jackson (2.x)
+License:             ASL 2.0 and LGPLv2+
+URL:                 https://github.com/FasterXML/jackson-databind/
+Source0:             https://github.com/FasterXML/jackson-databind/archive/%{name}-%{version}.tar.gz
+BuildRequires:       maven-local mvn(com.fasterxml.jackson.core:jackson-annotations) >= %{version}
+BuildRequires:       mvn(com.fasterxml.jackson.core:jackson-core) >= %{version}
+BuildRequires:       mvn(com.fasterxml.jackson:jackson-base:pom:) >= %{version}
+BuildRequires:       mvn(com.google.code.maven-replacer-plugin:replacer)
+BuildRequires:       mvn(org.apache.felix:maven-bundle-plugin)
+BuildRequires:       mvn(org.powermock:powermock-api-mockito)
+BuildRequires:       mvn(org.powermock:powermock-module-junit4)
+BuildArch:           noarch
 %description
 The general-purpose data-binding functionality and tree-model for Jackson Data
 Processor. It builds on core streaming parser/generator package, and uses
 Jackson Annotations for configuration.
 
+%package javadoc
+Summary:             Javadoc for %{name}
+%description javadoc
+This package contains API documentation for %{name}.
+
 %prep
-%autosetup -n %{name}-%{name}-%{version} -p1
-
+%setup -q -n %{name}-%{name}-%{version}
+# Remove plugins unnecessary for RPM builds
 %pom_remove_plugin ":maven-enforcer-plugin"
-
-cp -p %{main_res_dir}/LICENSE .
-cp -p %{main_res_dir}/NOTICE .
+cp -p src/main/resources/META-INF/LICENSE .
+cp -p src/main/resources/META-INF/NOTICE .
 sed -i 's/\r//' LICENSE NOTICE
-
+# unavailable test deps
 %pom_remove_dep javax.measure:jsr-275
-rm %{test_com_dir}/introspect/NoClassDefFoundWorkaroundTest.java
+rm src/test/java/com/fasterxml/jackson/databind/introspect/NoClassDefFoundWorkaroundTest.java
 %pom_xpath_remove pom:classpathDependencyExcludes
-
-rm %{test_com_dir}/type/TestTypeFactoryWithClassLoader.java
-rm %{test_com_dir}/ser/jdk/JDKTypeSerializationTest.java
-rm %{test_com_dir}/deser/jdk/JDKStringLikeTypesTest.java
-rm %{test_com_dir}/TestJDKSerialization.java
-
+# org.powermock.reflect.exceptions.FieldNotFoundException: Field 'fTestClass' was not found in class org.junit.internal.runners.MethodValidator.
+rm src/test/java/com/fasterxml/jackson/databind/type/TestTypeFactoryWithClassLoader.java
+# Off test that require connection with the web
+rm src/test/java/com/fasterxml/jackson/databind/ser/jdk/JDKTypeSerializationTest.java \
+ src/test/java/com/fasterxml/jackson/databind/deser/jdk/JDKStringLikeTypesTest.java \
+ src/test/java/com/fasterxml/jackson/databind/TestJDKSerialization.java
 %mvn_file : %{name}
 
 %build
@@ -57,10 +50,14 @@ rm %{test_com_dir}/TestJDKSerialization.java
 
 %files -f .mfiles
 %doc README.md release-notes/*
-%doc %{_javadocdir}/%{name}
 %license LICENSE NOTICE
 
+%files javadoc -f .mfiles-javadoc
+%license LICENSE NOTICE
 
 %changelog
+* Fri Aug 28 2020 wutao <wutao61@huawei.com> - 2.9.8-1
+- upgrade to 2.9.8
+
 * Tue Dec 3 2019 huyan <hu.huyan@huawei.com> - 2.9.4-4
 - Package Initialization

jackson-databind.yaml

@@ -0,0 +1,4 @@
+version_control: github
+src_repo: FasterXML/jackson-databind
+tag_prefix: "^jackson-databind-"
+seperator: "."