[Git][java-team/jackson-databind][master] 5 commits: Fix CVE-2019-16942

Thu Oct 3 15:06:47 BST 2019


Markus Koschany pushed to branch master at Debian Java Maintainers / jackson-databind


Commits:
2ee96a30 by Markus Koschany at 2019-10-03T13:48:46Z
Fix CVE-2019-16942

- - - - -
712b3220 by Markus Koschany at 2019-10-03T13:54:10Z
Update changelog

- - - - -
aa47aaf2 by Markus Koschany at 2019-10-03T13:55:59Z
Drop CVE-2019-16942.patch

- - - - -
0bc9aa2a by Markus Koschany at 2019-10-03T13:56:50Z
Refresh CVE patch

- - - - -
97e74444 by Markus Koschany at 2019-10-03T13:57:31Z
Update changelog

- - - - -


4 changed files:

- debian/changelog
- + debian/patches/CVE-2019-16942-and-CVE-2019-16943.patch
- debian/patches/base-pom.patch
- debian/patches/series


Changes:

=====================================
debian/changelog
=====================================
@@ -1,3 +1,10 @@
+jackson-databind (2.10.0-2) unstable; urgency=high
+
+  * Fix CVE-2019-16942 and CVE-2019-16943.
+    Block two more gadget types (commons-dbcp, p6spy). (Closes: #941530)
+
+ -- Markus Koschany <apo at debian.org>  Thu, 03 Oct 2019 15:48:58 +0200
+
 jackson-databind (2.10.0-1) unstable; urgency=medium
 
   * Team upload.


=====================================
debian/patches/CVE-2019-16942-and-CVE-2019-16943.patch
=====================================
@@ -0,0 +1,24 @@
+From: Markus Koschany <apo at debian.org>
+Date: Thu, 3 Oct 2019 15:56:30 +0200
+Subject: CVE-2019-16942 and CVE-2019-16943
+
+Forwarded: not-needed
+---
+ .../fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java    | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index e54149e..4215b4e 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -112,6 +112,10 @@ public class SubTypeValidator
+         // [databind#2469]: xalan2
+         s.add("org.apache.xalan.lib.sql.JNDIConnectionPool");
+ 
++        // [databind#2478]: comons-dbcp, p6spy
++        s.add("org.apache.commons.dbcp.datasources.SharedPoolDataSource");
++        s.add("com.p6spy.engine.spy.P6DataSource");
++
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
+ 


=====================================
debian/patches/base-pom.patch
=====================================
@@ -11,7 +11,7 @@ Forwarded: not-needed
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/pom.xml b/pom.xml
-index b031f65..c6660ac 100644
+index 95fdb10..4ee8e91 100644
 --- a/pom.xml
 +++ b/pom.xml
 @@ -5,7 +5,7 @@


=====================================
debian/patches/series
=====================================
@@ -1 +1,2 @@
 base-pom.patch
+CVE-2019-16942-and-CVE-2019-16943.patch



View it on GitLab: https://salsa.debian.org/java-team/jackson-databind/compare/9ae3664c6d8db711b74dd0cfc7aec21cfc54dbda...97e74444e3ca3014099595d5216a0f72b15f1727

-- 
View it on GitLab: https://salsa.debian.org/java-team/jackson-databind/compare/9ae3664c6d8db711b74dd0cfc7aec21cfc54dbda...97e74444e3ca3014099595d5216a0f72b15f1727
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20191003/e814a118/attachment.html>
