packages/jackson-databind
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!33 [sync] PR-30: Fix CVE-2019-17531

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @wangchong1995924 
Signed-off-by: @wangchong1995924
This commit is contained in:
openeuler-ci-bot 2022-03-14 02:24:38 +00:00 committed by Gitee
commit c42234bf5b
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 32 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
CVE-2019-17531.patch Normal file
View File

@ -0,0 +1,27 @@
From 1a32d9d07efcc2b089a5d42ee8f4b14e03607b3c Mon Sep 17 00:00:00 2001
From: Tatu Saloranta <tatu.saloranta@iki.fi>
Date: Sat, 12 Oct 2019 11:00:17 -0700
Subject: [PATCH] Fix #2498
---
.../jackson/databind/jsontype/impl/SubTypeValidator.java | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
index d28e2b9..bdd5100 100644
--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -235,6 +235,10 @@ public class SubTypeValidator
s.add("org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource");
s.add("org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource");
+ // [databind#2498]: log4j-extras (1.2)
+ s.add("org.apache.log4j.receivers.db.DriverManagerConnectionSource");
+ s.add("org.apache.log4j.receivers.db.JNDIConnectionSource");
+
DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
}
--
2.30.0

6
jackson-databind.spec
View File

@ -1,6 +1,6 @@
Name: jackson-databind Name: jackson-databind
Version: 2.9.8 Version: 2.9.8
Release: 8 Release: 9
Summary: General data-binding package for Jackson (2.x) Summary: General data-binding package for Jackson (2.x)
License: ASL 2.0 and LGPLv2+ License: ASL 2.0 and LGPLv2+
URL: https://github.com/FasterXML/jackson-databind/ URL: https://github.com/FasterXML/jackson-databind/
@ -47,6 +47,7 @@ Patch0037: CVE-2020-36187-CVE-2020-36186.patch
Patch0038: CVE-2020-36179-36180-36181-36182.patch Patch0038: CVE-2020-36179-36180-36181-36182.patch
Patch0039: CVE-2020-36183.patch Patch0039: CVE-2020-36183.patch
Patch0040: CVE-2021-20190.patch Patch0040: CVE-2021-20190.patch
Patch0041: CVE-2019-17531.patch
BuildRequires: maven-local mvn(com.fasterxml.jackson.core:jackson-annotations) >= %{version} BuildRequires: maven-local mvn(com.fasterxml.jackson.core:jackson-annotations) >= %{version}
BuildRequires: mvn(com.fasterxml.jackson.core:jackson-core) >= %{version} BuildRequires: mvn(com.fasterxml.jackson.core:jackson-core) >= %{version}
@ -99,6 +100,9 @@ rm src/test/java/com/fasterxml/jackson/databind/ser/jdk/JDKTypeSerializationTest
%license LICENSE NOTICE %license LICENSE NOTICE
%changelog %changelog
* Fri Mar 11 2022 yaoxin <yaoxin30@huawei.com> - 2.9.8-9
- Fix CVE-2019-17531
* Wed Jan 27 2021 wangyue <wangyue92@huawei.com> - 2.9.8-8 * Wed Jan 27 2021 wangyue <wangyue92@huawei.com> - 2.9.8-8
- fix CVE-2021-20190 - fix CVE-2021-20190