diff --git a/CVE-2018-7489.patch b/CVE-2018-7489.patch deleted file mode 100644 index b8a9803..0000000 --- a/CVE-2018-7489.patch +++ /dev/null @@ -1,58 +0,0 @@ -diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java -index 164ab3454..bdd3b2f4e 100644 ---- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java -+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java -@@ -19,7 +19,10 @@ import com.fasterxml.jackson.databind.JsonMappingException; - */ - public class SubTypeValidator - { -- protected final static String PREFIX_STRING = "org.springframework."; -+ protected final static String PREFIX_SPRING = "org.springframework."; -+ -+ protected final static String PREFIX_C3P0 = "com.mchange.v2.c3p0."; -+ - /** - * Set of well-known "nasty classes", deserialization of which is considered dangerous - * and should (and is) prevented by default. -@@ -46,8 +49,9 @@ public class SubTypeValidator - // [databind#1737]; 3rd party - //s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); // deprecated by [databind#1855] - s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean"); -- s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); -- s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); -+ -+// s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); // deprecated by [databind#1931] -+// s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); // - "" - - // [databind#1855]: more 3rd party - s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource"); - s.add("com.sun.org.apache.bcel.internal.util.ClassLoader"); -@@ -86,8 +90,10 @@ public class SubTypeValidator - // 18-Dec-2017, tatu: As per [databind#1855], need bit more sophisticated handling - // for some Spring framework types - // 05-Jan-2017, tatu: ... also, only applies to classes, not interfaces -- if (!raw.isInterface() && full.startsWith(PREFIX_STRING)) { -- for (Class cls = raw; (cls != null) && (cls != Object.class); cls = cls.getSuperclass()) { -+ if (raw.isInterface()) { -+ ; -+ } else if (full.startsWith(PREFIX_SPRING)) { -+ for (Class cls = raw; (cls != null) && (cls != Object.class); cls = cls.getSuperclass()){ - String name = cls.getSimpleName(); - // looking for "AbstractBeanFactoryPointcutAdvisor" but no point to allow any is there? - if ("AbstractPointcutAdvisor".equals(name) -@@ -96,6 +102,16 @@ public class SubTypeValidator - break main_check; - } - } -+ } else if (full.startsWith(PREFIX_C3P0)) { -+ // [databind#1737]; more 3rd party -+ // s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); -+ // s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); -+ // [databind#1931]; more 3rd party -+ // com.mchange.v2.c3p0.ComboPooledDataSource -+ // com.mchange.v2.c3p0.debug.AfterCloseLoggingComboPooledDataSource -+ if (full.endsWith("DataSource")) { -+ break main_check; -+ } - } - return; - } while (false); diff --git a/jackson-databind-2.9.4.tar.gz b/jackson-databind-2.9.4.tar.gz deleted file mode 100644 index b7a2e06..0000000 Binary files a/jackson-databind-2.9.4.tar.gz and /dev/null differ diff --git a/jackson-databind-2.9.8.tar.gz b/jackson-databind-2.9.8.tar.gz new file mode 100644 index 0000000..94bfec2 Binary files /dev/null and b/jackson-databind-2.9.8.tar.gz differ diff --git a/jackson-databind.spec b/jackson-databind.spec index e00e044..31cee45 100644 --- a/jackson-databind.spec +++ b/jackson-databind.spec @@ -1,52 +1,45 @@ -%global main_res_dir src/main/resources/META-INF -%global test_com_dir src/test/java/com/fasterxml/jackson/databind - -Name: jackson-databind -Version: 2.9.4 -Release: 5 -Summary: General data-binding package for Jackson (2.x) -License: ASL 2.0 and LGPLv2+ -URL: https://github.com/FasterXML/jackson-databind/ -Source0: https://github.com/FasterXML/jackson-databind/archive/%{name}-%{version}.tar.gz -Patch0: CVE-2018-7489.patch - -BuildRequires: mvn(org.powermock:powermock-module-junit4) -BuildRequires: mvn(org.powermock:powermock-api-mockito) -BuildRequires: mvn(org.apache.felix:maven-bundle-plugin) -BuildRequires: mvn(com.google.code.maven-replacer-plugin:replacer) -BuildRequires: mvn(com.fasterxml.jackson:jackson-base:pom:) >= %{version} -BuildRequires: mvn(com.fasterxml.jackson.core:jackson-core) >= %{version} -BuildRequires: mvn(com.fasterxml.jackson.core:jackson-annotations) >= %{version} -BuildRequires: maven-local - -BuildArch: noarch - -Provides: jackson-core-javadoc -Obsoletes: jackson-core-javadoc - +Name: jackson-databind +Version: 2.9.8 +Release: 1 +Summary: General data-binding package for Jackson (2.x) +License: ASL 2.0 and LGPLv2+ +URL: https://github.com/FasterXML/jackson-databind/ +Source0: https://github.com/FasterXML/jackson-databind/archive/%{name}-%{version}.tar.gz +BuildRequires: maven-local mvn(com.fasterxml.jackson.core:jackson-annotations) >= %{version} +BuildRequires: mvn(com.fasterxml.jackson.core:jackson-core) >= %{version} +BuildRequires: mvn(com.fasterxml.jackson:jackson-base:pom:) >= %{version} +BuildRequires: mvn(com.google.code.maven-replacer-plugin:replacer) +BuildRequires: mvn(org.apache.felix:maven-bundle-plugin) +BuildRequires: mvn(org.powermock:powermock-api-mockito) +BuildRequires: mvn(org.powermock:powermock-module-junit4) +BuildArch: noarch %description The general-purpose data-binding functionality and tree-model for Jackson Data Processor. It builds on core streaming parser/generator package, and uses Jackson Annotations for configuration. +%package javadoc +Summary: Javadoc for %{name} +%description javadoc +This package contains API documentation for %{name}. + %prep -%autosetup -n %{name}-%{name}-%{version} -p1 - +%setup -q -n %{name}-%{name}-%{version} +# Remove plugins unnecessary for RPM builds %pom_remove_plugin ":maven-enforcer-plugin" - -cp -p %{main_res_dir}/LICENSE . -cp -p %{main_res_dir}/NOTICE . +cp -p src/main/resources/META-INF/LICENSE . +cp -p src/main/resources/META-INF/NOTICE . sed -i 's/\r//' LICENSE NOTICE - +# unavailable test deps %pom_remove_dep javax.measure:jsr-275 -rm %{test_com_dir}/introspect/NoClassDefFoundWorkaroundTest.java +rm src/test/java/com/fasterxml/jackson/databind/introspect/NoClassDefFoundWorkaroundTest.java %pom_xpath_remove pom:classpathDependencyExcludes - -rm %{test_com_dir}/type/TestTypeFactoryWithClassLoader.java -rm %{test_com_dir}/ser/jdk/JDKTypeSerializationTest.java -rm %{test_com_dir}/deser/jdk/JDKStringLikeTypesTest.java -rm %{test_com_dir}/TestJDKSerialization.java - +# org.powermock.reflect.exceptions.FieldNotFoundException: Field 'fTestClass' was not found in class org.junit.internal.runners.MethodValidator. +rm src/test/java/com/fasterxml/jackson/databind/type/TestTypeFactoryWithClassLoader.java +# Off test that require connection with the web +rm src/test/java/com/fasterxml/jackson/databind/ser/jdk/JDKTypeSerializationTest.java \ + src/test/java/com/fasterxml/jackson/databind/deser/jdk/JDKStringLikeTypesTest.java \ + src/test/java/com/fasterxml/jackson/databind/TestJDKSerialization.java %mvn_file : %{name} %build @@ -57,10 +50,14 @@ rm %{test_com_dir}/TestJDKSerialization.java %files -f .mfiles %doc README.md release-notes/* -%doc %{_javadocdir}/%{name} %license LICENSE NOTICE +%files javadoc -f .mfiles-javadoc +%license LICENSE NOTICE %changelog +* Fri Aug 28 2020 wutao - 2.9.8-1 +- upgrade to 2.9.8 + * Tue Dec 3 2019 huyan - 2.9.4-4 - Package Initialization diff --git a/jackson-databind.yaml b/jackson-databind.yaml new file mode 100644 index 0000000..a02d513 --- /dev/null +++ b/jackson-databind.yaml @@ -0,0 +1,4 @@ +version_control: github +src_repo: FasterXML/jackson-databind +tag_prefix: "^jackson-databind-" +seperator: "."