[Git][java-team/jackson-databind][buster] 2 commits: DLA 2.9.8-3+deb10u5
Markus Koschany (@apo)
gitlab at salsa.debian.org
Sun Apr 30 22:29:06 BST 2023
Markus Koschany pushed to branch buster at Debian Java Maintainers / jackson-databind
Commits:
9f2e3ad2 by Adrian Bunk at 2023-05-01T00:17:09+03:00
DLA 2.9.8-3+deb10u5
- - - - -
2cf4047f by Markus Koschany at 2023-04-30T21:29:03+00:00
Merge branch 'buster' into 'buster'
DLA 2.9.8-3+deb10u5
See merge request java-team/jackson-databind!2
- - - - -
3 changed files:
- debian/changelog
- + debian/patches/0001-Fix-2658.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,10 @@
+jackson-databind (2.9.8-3+deb10u5) buster-security; urgency=medium
+
+ * Non-maintainer upload by the LTS Security Team.
+ * CVE-2020-10650: Block one more gadget type (ignite-jta).
+
+ -- Adrian Bunk <bunk at debian.org> Sun, 30 Apr 2023 18:36:34 +0300
+
jackson-databind (2.9.8-3+deb10u4) buster-security; urgency=high
* Team upload.
=====================================
debian/patches/0001-Fix-2658.patch
=====================================
@@ -0,0 +1,21 @@
+From a424c038ba0c0d65e579e22001dec925902ac0ef Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta at iki.fi>
+Date: Sun, 15 Mar 2020 17:28:51 -0700
+Subject: Fix #2658
+
+Index: jackson-databind-2.9.8/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+===================================================================
+--- jackson-databind-2.9.8.orig/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ jackson-databind-2.9.8/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -237,6 +237,11 @@ public class SubTypeValidator
+ // [databind#3003]: another case of embedded Xalan (derivative of #2469)
+ s.add("org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool");
+
++ // [databind#2658]: ignite-jta (, quartz-core)
++ s.add("org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup");
++ s.add("org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory");
++ s.add("org.quartz.utils.JNDIConnectionProvider");
++
+ DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+ }
+
=====================================
debian/patches/series
=====================================
@@ -10,3 +10,4 @@ CVE-2020-361{79-90}.patch
CVE-2022-42003.patch
CVE-2022-42004.patch
CVE-2020-36518.patch
+0001-Fix-2658.patch
View it on GitLab: https://salsa.debian.org/java-team/jackson-databind/-/compare/c0e0f354edf764683c1cfddd29c764b354a68911...2cf4047f4fc44eaa9714f381db76f9019f895186
--
View it on GitLab: https://salsa.debian.org/java-team/jackson-databind/-/compare/c0e0f354edf764683c1cfddd29c764b354a68911...2cf4047f4fc44eaa9714f381db76f9019f895186
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20230430/91a95d23/attachment.htm>
More information about the pkg-java-commits
mailing list