!2 fix cves

From: @wangxiao65
Reviewed-by: @luo-haibo
Signed-off-by: @luo-haibo

CVE-2019-12086.patch

@@ -0,0 +1,26 @@
+From dda513bd7251b4f32b7b60b1c13740e3b5a43024 Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Tue, 14 May 2019 07:42:10 -0700
+Subject: [PATCH] Fix #2326
+
+---
+ .../jackson/databind/jsontype/impl/SubTypeValidator.java       | 3 +++
+ 1 files changed, 3 insertions(+)
+ 
+diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index 30adb9471..a17cdf5b7 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -80,6 +80,9 @@ public class SubTypeValidator
+         s.add("org.apache.openjpa.ee.JNDIManagedRuntime");
+         s.add("org.apache.axis2.transport.jms.JMSOutTransportInfo");
+ 
++        // [databind#2326] (2.9.9): one more 3rd party gadget
++        s.add("com.mysql.cj.jdbc.admin.MiniAdmin");
++
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
+ 
+-- 
+2.23.0
+

CVE-2019-12384.patch

@@ -0,0 +1,26 @@
+From c9ef4a10d6f6633cf470d6a469514b68fa2be234 Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Wed, 12 Jun 2019 22:20:12 -0700
+Subject: [PATCH] Fix #2334
+
+---
+ .../jackson/databind/jsontype/impl/SubTypeValidator.java       | 3 +++
+ 1 files changed, 3 insertions(+)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index 08b541747e..102abb6e24 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -80,9 +80,11 @@ public class SubTypeValidator
+         s.add("org.apache.openjpa.ee.JNDIManagedRuntime");
+         s.add("org.apache.axis2.transport.jms.JMSOutTransportInfo");
+ 
+-        // [databind#2326] (2.9.9): one more 3rd party gadget
++        // [databind#2326] (2.9.9)
+         s.add("com.mysql.cj.jdbc.admin.MiniAdmin");
+ 
++        // [databind#2334] (2.9.9.1): logback-core
++        s.add("ch.qos.logback.core.db.DriverManagerConnectionSource");
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
+ 

CVE-2019-12814.patch

@@ -0,0 +1,28 @@
+From 5f7c69bba07a7155adde130d9dee2e54a54f1fa5 Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Thu, 13 Jun 2019 20:24:03 -0700
+Subject: [PATCH] Fix #2341
+
+---
+ .../jackson/databind/jsontype/impl/SubTypeValidator.java  | 8 ++++++--
+ 1 files changed, 6 insertions(+), 2 deletions(-)
+ 
+diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index 102abb6e2..c4d7f3827 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -83,8 +83,13 @@ public class SubTypeValidator
+         // [databind#2326] (2.9.9)
+         s.add("com.mysql.cj.jdbc.admin.MiniAdmin");
+ 
+-        // [databind#2334] (2.9.9.1): logback-core
++        // [databind#2334] (2.9.9.1)
+         s.add("ch.qos.logback.core.db.DriverManagerConnectionSource");
++
++        // [databind#2341]: jdom/jdom2
++        s.add("org.jdom.transform.XSLTransformer");
++        s.add("org.jdom2.transform.XSLTransformer");
++
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
+ 

CVE-2019-14379-CVE-2019-14439.patch

@@ -0,0 +1,29 @@
+From ad418eeb974e357f2797aef64aa0e3ffaaa6125b Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Thu, 25 Jul 2019 21:58:11 -0700
+Subject: [PATCH] Backport #2387, #2389 fixes
+
+---
+ .../jackson/databind/jsontype/impl/SubTypeValidator.java    | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index c4d7f3827..fa7ff2368 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -90,6 +90,12 @@ public class SubTypeValidator
+         s.add("org.jdom.transform.XSLTransformer");
+         s.add("org.jdom2.transform.XSLTransformer");
+ 
++        // [databind#2387]: EHCache
++        s.add("net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup");
++
++        // [databind#2389]: logback/jndi
++        s.add("ch.qos.logback.core.db.JNDIConnectionSource");
++
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
+ 
+-- 
+2.23.0
+

CVE-2019-14540.patch

@@ -0,0 +1,29 @@
+From d4983c740fec7d5576b207a8c30a63d3ea7443de Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Fri, 9 Aug 2019 16:37:40 -0700
+Subject: [PATCH] Fix #2410 #2420
+
+---
+ .../jackson/databind/jsontype/impl/SubTypeValidator.java   | 6 ++++++
+ 1 files changed, 6 insertions(+)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index 93182b5f4..0abadfdf3 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -96,6 +96,12 @@ public class SubTypeValidator
+         // [databind#2389]: logback/jndi
+         s.add("ch.qos.logback.core.db.JNDIConnectionSource");
+ 
++        // [databind#2410]: HikariCP/metricRegistry config
++        s.add("com.zaxxer.hikari.HikariConfig");
++
++        // [databind#2420]: CXF/JAX-RS provider/XSLT
++        s.add("org.apache.cxf.jaxrs.provider.XSLTJaxbProvider");
++        
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
+ 
+-- 
+2.23.0
+

CVE-2019-14892.patch

@@ -0,0 +1,29 @@
+From 41b7f9b90149e9d44a65a8261a8deedc7186f6af Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Thu, 19 Sep 2019 22:57:18 -0700
+Subject: [PATCH] Actual #2462 fix (prev commit only updates release notes)
+
+---
+ .../jackson/databind/jsontype/impl/SubTypeValidator.java    | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index 594bb2029..8117f11ad 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -104,7 +104,11 @@ public class SubTypeValidator
+ 
+         // [databind#2420]: CXF/JAX-RS provider/XSLT
+         s.add("org.apache.cxf.jaxrs.provider.XSLTJaxbProvider");
+-        
++
++        // [databind#2462]: commons-configuration / -2
++        s.add("org.apache.commons.configuration.JNDIConfiguration");
++        s.add("org.apache.commons.configuration2.JNDIConfiguration");
++
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
+ 
+-- 
+2.23.0
+

CVE-2019-14893.patch

@@ -0,0 +1,26 @@
+From 998efd708284778f29d83d7962a9bd935c228317 Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Thu, 19 Sep 2019 23:25:50 -0700
+Subject: [PATCH] Fix #2469
+
+---
+ .../jackson/databind/jsontype/impl/SubTypeValidator.java       | 3 +++
+ 1 files changed, 3 insertions(+)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index 8117f11ad..4fad2d012 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -111,6 +111,9 @@ public class SubTypeValidator
+         s.add("org.apache.commons.configuration.JNDIConfiguration");
+         s.add("org.apache.commons.configuration2.JNDIConfiguration");
+ 
++        // [databind#2469]: xalan2
++        s.add("org.apache.xalan.lib.sql.JNDIConnectionPool");
++
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
+ 
+-- 
+2.23.0
+

CVE-2019-16335.patch

@@ -0,0 +1,25 @@
+From 73c1c2cc76e6cdd7f3a5615cbe3207fe96e4d3db Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Thu, 12 Sep 2019 13:06:31 -0700
+Subject: [PATCH] Fix #2449
+
+---
+ .../jackson/databind/jsontype/impl/SubTypeValidator.java      | 2 ++
+ 1 files changed, 2 insertions(+)
+ 
+diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index 0abadfdf3..31f070ce5 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -98,6 +98,8 @@ public class SubTypeValidator
+ 
+         // [databind#2410]: HikariCP/metricRegistry config
+         s.add("com.zaxxer.hikari.HikariConfig");
++        // [databind#2449]: and sub-class thereof
++        s.add("com.zaxxer.hikari.HikariDataSource");
+ 
+         // [databind#2420]: CXF/JAX-RS provider/XSLT
+         s.add("org.apache.cxf.jaxrs.provider.XSLTJaxbProvider");
+-- 
+2.23.0
+

CVE-2019-16942-CVE-2019-16943-1.patch

@@ -0,0 +1,27 @@
+From 9593e16cf5a3d289a9c584f7123639655de9ddac Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Sat, 28 Sep 2019 18:39:17 -0700
+Subject: [PATCH] Fix #2478 (cve)
+
+---
+ .../jackson/databind/jsontype/impl/SubTypeValidator.java      | 4 ++++
+ 1 files changed, 4 insertions(+)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index 4fad2d012..4e7f162f4 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -114,6 +114,10 @@ public class SubTypeValidator
+         // [databind#2469]: xalan2
+         s.add("org.apache.xalan.lib.sql.JNDIConnectionPool");
+ 
++        // [databind#2478]: comons-dbcp, p6spy
++        s.add("org.apache.commons.dbcp.datasources.SharedPoolDataSource");
++        s.add("com.p6spy.engine.spy.P6DataSource");
++
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
+ 
+-- 
+2.23.0
+

CVE-2019-16942-CVE-2019-16943-2.patch

@@ -0,0 +1,24 @@
+From 328a0f833daf6baa443ac3b37c818a0204714b0b Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Sat, 28 Sep 2019 20:10:09 -0700
+Subject: [PATCH] Complete #2478 fix
+
+---
+ .../jackson/databind/jsontype/impl/SubTypeValidator.java         | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index 4e7f162f4..1e5cecaf6 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -115,6 +115,7 @@ public class SubTypeValidator
+         s.add("org.apache.xalan.lib.sql.JNDIConnectionPool");
+ 
+         // [databind#2478]: comons-dbcp, p6spy
++        s.add("org.apache.commons.dbcp.datasources.PerUserPoolDataSource");
+         s.add("org.apache.commons.dbcp.datasources.SharedPoolDataSource");
+         s.add("com.p6spy.engine.spy.P6DataSource");
+ 
+-- 
+2.23.0
+

CVE-2019-17267.patch

@@ -0,0 +1,27 @@
+From 191a4cdf87b56d2ddddb77edd895ee756b7f75eb Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Thu, 19 Sep 2019 21:45:58 -0700
+Subject: [PATCH] Fix #2460
+
+---
+ .../jackson/databind/jsontype/impl/SubTypeValidator.java       | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletion(-)
+ 
+diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index 31f070ce5..594bb2029 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -90,8 +90,9 @@ public class SubTypeValidator
+         s.add("org.jdom.transform.XSLTransformer");
+         s.add("org.jdom2.transform.XSLTransformer");
+ 
+-        // [databind#2387]: EHCache
++        // [databind#2387], [databind#2460]: EHCache
+         s.add("net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup");
++        s.add("net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup");
+ 
+         // [databind#2389]: logback/jndi
+         s.add("ch.qos.logback.core.db.JNDIConnectionSource");
+-- 
+2.23.0
+

CVE-2019-20330.patch

@@ -0,0 +1,27 @@
+From fc4214a883dc087070f25da738ef0d49c2f3387e Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Fri, 1 Nov 2019 11:12:37 -0700
+Subject: [PATCH] Fix #2526
+
+---
+ .../jackson/databind/jsontype/impl/SubTypeValidator.java      | 4 ++++
+ 1 files changed, 4 insertions(+)
+ 
+diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index 52882670c..1b616b26a 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -121,6 +121,10 @@ public class SubTypeValidator
+         s.add("org.apache.log4j.receivers.db.DriverManagerConnectionSource");
+         s.add("org.apache.log4j.receivers.db.JNDIConnectionSource");
+ 
++        // [databind#2526]: some more ehcache
++        s.add("net.sf.ehcache.transaction.manager.selector.GenericJndiSelector");
++        s.add("net.sf.ehcache.transaction.manager.selector.GlassfishSelector");
++
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
+ 
+-- 
+2.23.0
+

CVE-2020-10650.patch

@@ -0,0 +1,28 @@
+From a424c038ba0c0d65e579e22001dec925902ac0ef Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Sun, 15 Mar 2020 17:28:51 -0700
+Subject: [PATCH] Fix #2658
+
+---
+ .../jackson/databind/jsontype/impl/SubTypeValidator.java     | 5 +++++
+ 1 files changed, 5 insertions(+)
+ 
+diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index 08f06ed41..c935f3ce4 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -142,6 +142,11 @@ public class SubTypeValidator
+         s.add("org.apache.shiro.realm.jndi.JndiRealmFactory");
+         s.add("org.apache.shiro.jndi.JndiObjectFactory");
+ 
++        // [databind#2658]: ignite-jta (, quartz-core)
++        s.add("org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup");
++        s.add("org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory");
++        s.add("org.quartz.utils.JNDIConnectionProvider");
++
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
+ 
+-- 
+2.23.0
+

CVE-2020-10672.patch

@@ -0,0 +1,26 @@
+From 592872f4235c7f2a3280725278da55544032f72d Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Sun, 15 Mar 2020 18:10:55 -0700
+Subject: [PATCH] Fix #2659
+
+---
+ .../jackson/databind/jsontype/impl/SubTypeValidator.java       | 3 +++
+ 1 files changed, 3 insertions(+)
+ 
+diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index c935f3ce4..36e60d89f 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -147,6 +147,9 @@ public class SubTypeValidator
+         s.add("org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory");
+         s.add("org.quartz.utils.JNDIConnectionProvider");
+ 
++        // [databind#2659]: aries.transaction.jms
++        s.add("org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory");
++
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
+ 
+-- 
+2.23.0
+

CVE-2020-10673.patch

@@ -0,0 +1,28 @@
+From 1645efbd392989cf015f459a91c999e59c921b15 Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Tue, 17 Mar 2020 22:08:30 -0700
+Subject: [PATCH] Fix #2660
+
+---
+ .../jackson/databind/jsontype/impl/SubTypeValidator.java      | 4 ++++
+ 1 files changed, 4 insertions(+)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index 36e60d89f..387733f61 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -149,7 +149,11 @@ public class SubTypeValidator
+ 
+         // [databind#2659]: aries.transaction.jms
+         s.add("org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory");
++        s.add("org.apache.aries.transaction.jms.RecoverablePooledConnectionFactory");
+ 
++        // [databind#2660]: caucho-quercus
++        s.add("com.caucho.config.types.ResourceRef");
++        
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
+ 
+-- 
+2.23.0
+

CVE-2020-10968-CVE-2020-11111-CVE-2020-11112.patch

@@ -0,0 +1,35 @@
+From 05d7e0e13f43e12db6a51726df12c8b4d8040676 Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Wed, 25 Mar 2020 13:18:59 -0700
+Subject: [PATCH] Fix #2662, #2664, #2666
+
+---
+ .../databind/jsontype/impl/SubTypeValidator.java     | 12 +++++++++++-
+ 1 files changed, 11 insertions(+), 1 deletion(-)
+ 
+diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index 387733f61..b2b6ee06e 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -153,7 +153,17 @@ public class SubTypeValidator
+ 
+         // [databind#2660]: caucho-quercus
+         s.add("com.caucho.config.types.ResourceRef");
+-        
++
++        // [databind#2662]: aoju/bus-proxy
++        s.add("org.aoju.bus.proxy.provider.RmiProvider");
++        s.add("org.aoju.bus.proxy.provider.remoting.RmiProvider");
++
++        // [databind#2664]: activemq-jms
++        s.add("org.apache.activemq.jms.pool.XaPooledConnectionFactory");
++
++        // [databind#2666]: apache/commons-jms
++        s.add("org.apache.commons.proxy.provider.remoting.RmiProvider");
++
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
+ 
+-- 
+2.23.0
+

CVE-2020-10969.patch

@@ -0,0 +1,26 @@
+From 4d038c9de0aa80a5dae27f552a975cb39cc42b60 Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Tue, 3 Mar 2020 16:43:31 -0800
+Subject: [PATCH] Fix #2642
+
+---
+ .../jackson/databind/jsontype/impl/SubTypeValidator.java    | 3 +++
+ 1 files changed, 3 insertions(+)
+ 
+diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index bf04f1bde..3b0de954a 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -135,6 +135,9 @@ public class SubTypeValidator
+         s.add("com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig");
+         s.add("br.com.anteros.dbcp.AnterosDBCPConfig");
+ 
++        // [databind#2642]: javax.swing (jdk)
++        s.add("javax.swing.JEditorPane");
++
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
+ 
+-- 
+2.23.0
+

CVE-2020-11111-2.patch

@@ -0,0 +1,38 @@
+From c14c9f99ed030dbd1440129585f03440c8758a99 Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Thu, 26 Mar 2020 09:28:21 -0700
+Subject: [PATCH] Further additions wrt #2664
+
+---
+ .../databind/jsontype/impl/SubTypeValidator.java  | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index b2b6ee06e..bda078752 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -158,9 +158,18 @@ public class SubTypeValidator
+         s.add("org.aoju.bus.proxy.provider.RmiProvider");
+         s.add("org.aoju.bus.proxy.provider.remoting.RmiProvider");
+ 
+-        // [databind#2664]: activemq-jms
+-        s.add("org.apache.activemq.jms.pool.XaPooledConnectionFactory");
+-
++        // [databind#2664]: activemq-core, activemq-pool, activemq-pool-jms
++
++        s.add("org.apache.activemq.ActiveMQConnectionFactory"); // core
++        s.add("org.apache.activemq.ActiveMQXAConnectionFactory");
++        s.add("org.apache.activemq.spring.ActiveMQConnectionFactory");
++        s.add("org.apache.activemq.spring.ActiveMQXAConnectionFactory");
++        s.add("org.apache.activemq.pool.JcaPooledConnectionFactory"); // pool
++        s.add("org.apache.activemq.pool.PooledConnectionFactory");
++        s.add("org.apache.activemq.pool.XaPooledConnectionFactory");
++        s.add("org.apache.activemq.jms.pool.XaPooledConnectionFactory"); // pool-jms
++        s.add("org.apache.activemq.jms.pool.JcaPooledConnectionFactory");
++        
+         // [databind#2666]: apache/commons-jms
+         s.add("org.apache.commons.proxy.provider.remoting.RmiProvider");
+ 
+-- 
+2.23.0
+

CVE-2020-11113.patch

@@ -0,0 +1,29 @@
+From e2ba12d5d60715d95105e3e790fc234cfb59893d Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Sat, 28 Mar 2020 12:52:17 -0700
+Subject: [PATCH] Fix #2670
+
+---
+ .../jackson/databind/jsontype/impl/SubTypeValidator.java       | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletion(-)
+ 
+diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index bda078752..e3962ca72 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -74,10 +74,11 @@ public class SubTypeValidator
+         s.add("com.sun.deploy.security.ruleset.DRSHelper");
+         s.add("org.apache.axis2.jaxws.spi.handler.HandlerResolverImpl");
+ 
+-        // [databind#2186]: yet more 3rd party gadgets
++        // [databind#2186], [databind#2670]: yet more 3rd party gadgets
+         s.add("org.jboss.util.propertyeditor.DocumentEditor");
+         s.add("org.apache.openjpa.ee.RegistryManagedRuntime");
+         s.add("org.apache.openjpa.ee.JNDIManagedRuntime");
++        s.add("org.apache.openjpa.ee.WASRegistryManagedRuntime"); // [#2670] addition
+         s.add("org.apache.axis2.transport.jms.JMSOutTransportInfo");
+ 
+         // [databind#2326] (2.9.9)
+-- 
+2.23.0
+

CVE-2020-11619.patch

@@ -0,0 +1,26 @@
+From 113e89fb08b1b6b072d60b3e4737ed407c13db9a Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Mon, 6 Apr 2020 19:27:26 -0700
+Subject: [PATCH] Fix #2680
+
+---
+ .../jackson/databind/jsontype/impl/SubTypeValidator.java       | 3 +++
+ 1 files changed, 3 insertions(+)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index e3962ca72..80f5b61bd 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -49,6 +49,9 @@ public class SubTypeValidator
+         // [databind#1737]; 3rd party
+ //s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor"); // deprecated by [databind#1855]
+         s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
++        // [databind#2680]
++        s.add("org.springframework.aop.config.MethodLocatingFactoryBean");
++        s.add("org.springframework.beans.factory.config.BeanReferenceFactoryBean");
+ 
+ // s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource"); // deprecated by [databind#1931]
+ // s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource"); // - "" -
+-- 
+2.23.0
+

CVE-2020-11620.patch

@@ -0,0 +1,26 @@
+From 77040d85e3eb6710508e6445640ae1a3d5e60c22 Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Tue, 7 Apr 2020 09:34:38 -0700
+Subject: [PATCH] Fix #2682
+
+---
+ .../jackson/databind/jsontype/impl/SubTypeValidator.java       | 3 +++
+ 1 files changed, 3 insertions(+)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index 80f5b61bd..b123bee8b 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -177,6 +177,9 @@ public class SubTypeValidator
+         // [databind#2666]: apache/commons-jms
+         s.add("org.apache.commons.proxy.provider.remoting.RmiProvider");
+ 
++        // [databind#2682]: commons-jelly
++        s.add("org.apache.commons.jelly.impl.Embedded");
++
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
+ 
+-- 
+2.23.0
+

CVE-2020-14060.patch

@@ -0,0 +1,26 @@
+From d1c67a0396e84c08d0558fbb843b5bd1f26e1921 Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Fri, 24 Apr 2020 20:12:06 -0700
+Subject: [PATCH] Fix #2688
+
+---
+ .../jackson/databind/jsontype/impl/SubTypeValidator.java     | 3 +++
+ 1 files changed, 3 insertions(+)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index b123bee8b..a7853c026 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -180,6 +180,9 @@ public class SubTypeValidator
+         // [databind#2682]: commons-jelly
+         s.add("org.apache.commons.jelly.impl.Embedded");
+ 
++        // [databind#2688]: apache/drill
++        s.add("oadd.org.apache.xalan.lib.sql.JNDIConnectionPool");
++
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
+ 
+-- 
+2.23.0
+

CVE-2020-14061.patch

@@ -0,0 +1,32 @@
+From 5c8642aeae9c756b438ab7637c90ef3c77966e6e Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Fri, 24 Apr 2020 20:39:14 -0700
+Subject: [PATCH] Fix #2698
+
+---
+ .../jackson/databind/jsontype/impl/SubTypeValidator.java | 9 +++++++++
+ 1 files changed, 9 insertions(+)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index a7853c026..20bbf2059 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -183,6 +183,15 @@ public class SubTypeValidator
+         // [databind#2688]: apache/drill
+         s.add("oadd.org.apache.xalan.lib.sql.JNDIConnectionPool");
+ 
++        // [databind#2698]: weblogic w/ oracle/aq-jms
++        // (note: dependency not available via Maven Central, but as part of
++        // weblogic installation, possibly fairly old version(s))
++        s.add("oracle.jms.AQjmsQueueConnectionFactory");
++        s.add("oracle.jms.AQjmsXATopicConnectionFactory");
++        s.add("oracle.jms.AQjmsTopicConnectionFactory");
++        s.add("oracle.jms.AQjmsXAQueueConnectionFactory");
++        s.add("oracle.jms.AQjmsXAConnectionFactory");
++
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
+ 
+-- 
+2.23.0
+

CVE-2020-14062.patch

@@ -0,0 +1,28 @@
+From 840eae2ca81c597a0010b2126f32dce17d384b70 Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Fri, 1 May 2020 19:19:10 -0700
+Subject: [PATCH] ... actual #2704 fix here (forgot to commit change)
+
+---
+ .../jackson/databind/jsontype/impl/SubTypeValidator.java      | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index 20bbf2059..80cc37879 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -113,8 +113,10 @@ public class SubTypeValidator
+         s.add("org.apache.commons.configuration.JNDIConfiguration");
+         s.add("org.apache.commons.configuration2.JNDIConfiguration");
+ 
+-        // [databind#2469]: xalan2
++        // [databind#2469]: xalan
+         s.add("org.apache.xalan.lib.sql.JNDIConnectionPool");
++        // [databind#2704]: xalan2
++        s.add("com.sun.org.apache.xalan.internal.lib.sql.JNDIConnectionPool");
+ 
+         // [databind#2478]: comons-dbcp, p6spy
+         s.add("org.apache.commons.dbcp.datasources.PerUserPoolDataSource");
+-- 
+2.23.0
+

CVE-2020-14195.patch

@@ -0,0 +1,26 @@
+From f6d9c664f6d481703138319f6a0f1fdbddb3a259 Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Sat, 13 Jun 2020 20:30:10 -0700
+Subject: [PATCH] Fixed #2765
+
+---
+ .../jackson/databind/jsontype/impl/SubTypeValidator.java       | 3 +++
+ 1 files changed, 3 insertions(+)
+ 
+diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index 80cc37879..7c3d4bcc3 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -194,6 +194,9 @@ public class SubTypeValidator
+         s.add("oracle.jms.AQjmsXAQueueConnectionFactory");
+         s.add("oracle.jms.AQjmsXAConnectionFactory");
+ 
++        // [databind#2764]: org.jsecurity:
++        s.add("org.jsecurity.realm.jndi.JndiRealmFactory");
++
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
+ 
+-- 
+2.23.0
+

CVE-2020-24616.patch

@@ -0,0 +1,29 @@
+From 3d97153944f7de9c19c1b3637b33d3cf1fbbe4d7 Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Mon, 10 Aug 2020 19:39:03 -0700
+Subject: [PATCH] Add a block for #2814
+
+---
+ .../jackson/databind/jsontype/impl/SubTypeValidator.java      | 4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
+ 
+diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index d0753df93..d470bb53d 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -137,9 +137,11 @@ public class SubTypeValidator
+         // [databind#2631]: shaded hikari-config
+         s.add("org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig");
+ 
+-        // [databind#2634]: ibatis-sqlmap, anteros-core
++        // [databind#2634]: ibatis-sqlmap, anteros-core/-dbcp
+         s.add("com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig");
+         s.add("br.com.anteros.dbcp.AnterosDBCPConfig");
++        // [databind#2814]: anteros-dbcp
++        s.add("br.com.anteros.dbcp.AnterosDBCPDataSource");
+ 
+         // [databind#2642]: javax.swing (jdk)
+         s.add("javax.swing.JEditorPane");
+-- 
+2.23.0
+

CVE-2020-24750.patch

@@ -0,0 +1,26 @@
+From 6cc9f1a1af323cd156f5668a47e43bab324ae16f Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Mon, 20 Jul 2020 17:40:57 -0700
+Subject: [PATCH] Work for addressing #2798
+
+---
+ .../jackson/databind/jsontype/impl/SubTypeValidator.java     | 3 +++
+ 1 files changed, 3 insertions(+)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index 7c3d4bcc3..d0753df93 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -197,6 +197,9 @@ public class SubTypeValidator
+         // [databind#2764]: org.jsecurity:
+         s.add("org.jsecurity.realm.jndi.JndiRealmFactory");
+ 
++        // [databind#2798]: com.pastdev.httpcomponents:
++        s.add("com.pastdev.httpcomponents.configuration.JndiConfiguration");
++        
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
+ 
+-- 
+2.23.0
+

CVE-2020-8840.patch

@@ -0,0 +1,26 @@
+From 914e7c9f2cb8ce66724bf26a72adc7e958992497 Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Sun, 9 Feb 2020 15:16:04 -0800
+Subject: [PATCH] Fix #2620
+
+---
+ .../jackson/databind/jsontype/impl/SubTypeValidator.java    | 3 +++
+ 1 files changed, 3 insertions(+)
+ 
+diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index 1b616b26a..06901bf97 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -125,6 +125,9 @@ public class SubTypeValidator
+         s.add("net.sf.ehcache.transaction.manager.selector.GenericJndiSelector");
+         s.add("net.sf.ehcache.transaction.manager.selector.GlassfishSelector");
+ 
++        // [databind#2620]: xbean-reflect
++        s.add("org.apache.xbean.propertyeditor.JndiConverter");
++        
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
+ 
+-- 
+2.23.0
+

CVE-2020-9546-CVE-2020-9547-CVE-2020-9548.patch

@@ -0,0 +1,27 @@
+From 9f4e97019fb0dd836533d0b6198c88787e235ae2 Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Sat, 29 Feb 2020 17:35:12 -0800
+Subject: [PATCH] Fixing issues #2631 and #2634
+
+---
+ .../jackson/databind/jsontype/impl/SubTypeValidator.java   | 7 +++++++
+ 1 files changed, 7 insertions(+)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index 64c6c764f..bf04f1bde 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -128,6 +128,13 @@ public class SubTypeValidator
+         // [databind#2620]: xbean-reflect
+         s.add("org.apache.xbean.propertyeditor.JndiConverter");
+         
++        // [databind#2631]: shaded hikari-config
++        s.add("org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig");
++
++        // [databind#2634]: ibatis-sqlmap, anteros-core
++        s.add("com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig");
++        s.add("br.com.anteros.dbcp.AnterosDBCPConfig");
++
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
+ 

Fix-2498.patch

@@ -0,0 +1,27 @@
+From b5a304a98590b6bb766134f9261e6566dcbbb6d0 Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Sat, 12 Oct 2019 11:00:17 -0700
+Subject: [PATCH] Fix #2498
+
+---
+ .../jackson/databind/jsontype/impl/SubTypeValidator.java      | 4 ++++
+ 1 files changed, 4 insertions(+)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index 1e5cecaf6..52882670c 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -117,6 +117,10 @@ public class SubTypeValidator
+         s.add("org.apache.commons.dbcp.datasources.SharedPoolDataSource");
+         s.add("com.p6spy.engine.spy.P6DataSource");
+ 
++        // [databind#2498]: log4j-extras (1.2)
++        s.add("org.apache.log4j.receivers.db.DriverManagerConnectionSource");
++        s.add("org.apache.log4j.receivers.db.JNDIConnectionSource");
++
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
+ 
+-- 
+2.23.0
+

Fix-2648.patch

@@ -0,0 +1,26 @@
+From 9bdc373bcca774ee57b8c42f4af61a7b50f3dc26 Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Mon, 9 Mar 2020 19:57:06 -0700
+Subject: [PATCH] Fix #2648
+
+---
+ .../jackson/databind/jsontype/impl/SubTypeValidator.java     | 3 +++
+ 1 files changed, 3 insertions(+)
+ 
+diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index 3b0de954a..9c0ff58d9 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -138,6 +138,9 @@ public class SubTypeValidator
+         // [databind#2642]: javax.swing (jdk)
+         s.add("javax.swing.JEditorPane");
+ 
++        // [databind#2648]: shire-core
++        s.add("org.apache.shiro.realm.jndi.JndiRealmFactory");
++
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
+ 
+-- 
+2.23.0
+

Fix-2653.patch

@@ -0,0 +1,27 @@
+From 82d5d10089d6ac311a41548502b7433016c46fc8 Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Wed, 11 Mar 2020 16:24:16 -0700
+Subject: [PATCH] Fix #2653
+
+---
+ .../jackson/databind/jsontype/impl/SubTypeValidator.java       | 3 ++-
+ 1 files changed, 2 insertions(+), 1 deletions(-)
+ 
+diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index 9c0ff58d9..08f06ed41 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -138,8 +138,9 @@ public class SubTypeValidator
+         // [databind#2642]: javax.swing (jdk)
+         s.add("javax.swing.JEditorPane");
+ 
+-        // [databind#2648]: shire-core
++        // [databind#2648], [databind#2653]: shire-core
+         s.add("org.apache.shiro.realm.jndi.JndiRealmFactory");
++        s.add("org.apache.shiro.jndi.JndiObjectFactory");
+ 
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
+-- 
+2.23.0
+

jackson-databind.spec

@@ -1,10 +1,42 @@
 Name:                jackson-databind
 Version:             2.9.8
-Release:             1
+Release:             2
 Summary:             General data-binding package for Jackson (2.x)
 License:             ASL 2.0 and LGPLv2+
 URL:                 https://github.com/FasterXML/jackson-databind/
 Source0:             https://github.com/FasterXML/jackson-databind/archive/%{name}-%{version}.tar.gz
+Patch0000:           CVE-2019-12086.patch
+Patch0001:           CVE-2019-12384.patch
+Patch0002:           CVE-2019-12814.patch
+Patch0003:           CVE-2019-14379-CVE-2019-14439.patch
+Patch0004:           CVE-2019-14540.patch
+Patch0005:           CVE-2019-16335.patch
+Patch0006:           CVE-2019-17267.patch
+Patch0007:           CVE-2019-14892.patch
+Patch0008:           CVE-2019-14893.patch
+Patch0009:           CVE-2019-16942-CVE-2019-16943-1.patch
+Patch0010:           CVE-2019-16942-CVE-2019-16943-2.patch
+Patch0011:           Fix-2498.patch
+Patch0012:           CVE-2019-20330.patch
+Patch0013:           CVE-2020-8840.patch
+Patch0014:           CVE-2020-9546-CVE-2020-9547-CVE-2020-9548.patch
+Patch0015:           CVE-2020-10969.patch
+Patch0016:           Fix-2648.patch
+Patch0017:           Fix-2653.patch
+Patch0018:           CVE-2020-10650.patch
+Patch0019:           CVE-2020-10672.patch
+Patch0020:           CVE-2020-10673.patch
+Patch0021:           CVE-2020-10968-CVE-2020-11111-CVE-2020-11112.patch
+Patch0022:           CVE-2020-11111-2.patch
+Patch0023:           CVE-2020-11113.patch
+Patch0024:           CVE-2020-11619.patch
+Patch0025:           CVE-2020-11620.patch
+Patch0026:           CVE-2020-14060.patch
+Patch0027:           CVE-2020-14061.patch
+Patch0028:           CVE-2020-14062.patch
+Patch0029:           CVE-2020-14195.patch
+Patch0030:           CVE-2020-24750.patch
+Patch0031:           CVE-2020-24616.patch
 BuildRequires:       maven-local mvn(com.fasterxml.jackson.core:jackson-annotations) >= %{version}
 BuildRequires:       mvn(com.fasterxml.jackson.core:jackson-core) >= %{version}
 BuildRequires:       mvn(com.fasterxml.jackson:jackson-base:pom:) >= %{version}
@@ -24,7 +56,7 @@ Summary:             Javadoc for %{name}
 This package contains API documentation for %{name}.
 
 %prep
-%setup -q -n %{name}-%{name}-%{version}
+%autosetup -p1 -n %{name}-%{name}-%{version}
 # Remove plugins unnecessary for RPM builds
 %pom_remove_plugin ":maven-enforcer-plugin"
 cp -p src/main/resources/META-INF/LICENSE .
@@ -56,6 +88,9 @@ rm src/test/java/com/fasterxml/jackson/databind/ser/jdk/JDKTypeSerializationTest
 %license LICENSE NOTICE
 
 %changelog
+* Sat Sep 19 2020 wangxiao <wangxiao65@huawei.com> - 2.9.8-2
+- fix cves
+
 * Fri Aug 28 2020 wutao <wutao61@huawei.com> - 2.9.8-1
 - upgrade to 2.9.8