From d93b36f7abe8b18947987e40ae4a277ebe1c2a33 Mon Sep 17 00:00:00 2001 From: wang_yue111 <648774160@qq.com> Date: Fri, 22 Jan 2021 12:08:22 +0800 Subject: [PATCH] fix cves --- CVE-2020-36179-36180-36181-36182.patch | 25 +++++++++++++---------- CVE-2020-36183.patch | 26 ++++++++++++++++++++++++ CVE-2020-36184-CVE-2020-36185.patch | 21 ++++++++++--------- CVE-2020-36185.patch | 28 -------------------------- jackson-databind.spec | 16 ++++++++------- 5 files changed, 60 insertions(+), 56 deletions(-) create mode 100644 CVE-2020-36183.patch delete mode 100644 CVE-2020-36185.patch diff --git a/CVE-2020-36179-36180-36181-36182.patch b/CVE-2020-36179-36180-36181-36182.patch index cda419b..014e182 100644 --- a/CVE-2020-36179-36180-36181-36182.patch +++ b/CVE-2020-36179-36180-36181-36182.patch @@ -1,6 +1,6 @@ -From 3712a09e9ae5da3dbbaa0fbcf75114f25557171e Mon Sep 17 00:00:00 2001 +From 3d55f744ac2ce771ddf7e9da2a55b1955c035f6d Mon Sep 17 00:00:00 2001 From: Tatu Saloranta -Date: Thu, 21 Jan 2021 17:36:28 +0800 +Date: Fri, 22 Jan 2021 10:45:32 +0800 Subject: [PATCH] Fixed #3004 --- @@ -8,7 +8,7 @@ Subject: [PATCH] Fixed #3004 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java -index 2fda051..787e573 100644 +index 2be6d49..db6866d 100644 --- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java @@ -118,9 +118,12 @@ public class SubTypeValidator @@ -37,7 +37,7 @@ index 2fda051..787e573 100644 // [databind#2698]: weblogic w/ oracle/aq-jms // (note: dependency not available via Maven Central, but as part of // weblogic installation, possibly fairly old version(s)) -@@ -202,9 +205,10 @@ public class SubTypeValidator +@@ -202,16 +205,18 @@ public class SubTypeValidator // [databind#2798]: com.pastdev.httpcomponents: s.add("com.pastdev.httpcomponents.configuration.JndiConfiguration"); @@ -49,7 +49,16 @@ index 2fda051..787e573 100644 // [databind#2999]: org.glassfish.web/javax.servlet.jsp.jstl (embedded Xalan) // (derivative of #2469) -@@ -220,12 +224,14 @@ public class SubTypeValidator + s.add("com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool"); + +- // [databind#2998]: org.apache.tomcat/tomcat-dbcp (embedded dbcp 2.x) ++ // [databind#2998]/[databind#3004]: org.apache.tomcat/tomcat-dbcp (embedded dbcp 2.x) + // (derivative of #2478) ++ s.add("org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS"); + s.add("org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource"); + s.add("org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource"); + +@@ -220,8 +225,9 @@ public class SubTypeValidator s.add("com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource"); s.add("com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource"); @@ -59,12 +68,6 @@ index 2fda051..787e573 100644 + s.add("org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS"); s.add("org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource"); s.add("org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource"); -- // [databind#2998]: org.apache.tomcat/tomcat-dbcp (embedded dbcp 2.x) -+ // [databind#2998]/[databind#3004]: org.apache.tomcat/tomcat-dbcp (embedded dbcp 2.x) - // (derivative of #2478) -+ s.add("org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS"); - s.add("org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource"); - s.add("org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource"); -- 2.23.0 diff --git a/CVE-2020-36183.patch b/CVE-2020-36183.patch new file mode 100644 index 0000000..5e6fd04 --- /dev/null +++ b/CVE-2020-36183.patch @@ -0,0 +1,26 @@ +From ed90729275eb5e97357728667de9008a5c3cf9a7 Mon Sep 17 00:00:00 2001 +From: Tatu Saloranta +Date: Fri, 22 Jan 2021 14:53:17 +0800 +Subject: [PATCH] Fixed #3003 + +--- + .../jackson/databind/jsontype/impl/SubTypeValidator.java | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +index db6866d..91ce229 100644 +--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java ++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +@@ -214,6 +214,9 @@ public class SubTypeValidator + // (derivative of #2469) + s.add("com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool"); + ++ // [databind#3003]: another case of embedded Xalan (derivative of #2469) ++ s.add("org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool"); ++ + // [databind#2998]/[databind#3004]: org.apache.tomcat/tomcat-dbcp (embedded dbcp 2.x) + // (derivative of #2478) + s.add("org.apache.tomcat.dbcp.dbcp2.cpdsadapter.DriverAdapterCPDS"); +-- +2.23.0 + diff --git a/CVE-2020-36184-CVE-2020-36185.patch b/CVE-2020-36184-CVE-2020-36185.patch index 5788138..ac29432 100644 --- a/CVE-2020-36184-CVE-2020-36185.patch +++ b/CVE-2020-36184-CVE-2020-36185.patch @@ -1,27 +1,28 @@ -From d8b91e1b94096f26443457463efeb0eb7f3477c8 Mon Sep 17 00:00:00 2001 +From 2cf1231703fa3a348ada8fa4491c96ee747bf7ed Mon Sep 17 00:00:00 2001 From: Tatu Saloranta -Date: Thu, 21 Jan 2021 15:36:41 +0800 +Date: Mon, 18 Jan 2021 18:30:47 +0800 Subject: [PATCH] Fixed #2998 --- - .../jackson/databind/jsontype/impl/SubTypeValidator.java | 4 ++++ - 1 file changed, 4 insertions(+) + .../jackson/databind/jsontype/impl/SubTypeValidator.java | 5 +++++ + 1 file changed, 5 insertions(+) diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java -index 2be6d49..2fda051 100644 +index 3e52fb7..9df94ec 100644 --- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java -@@ -224,6 +224,10 @@ public class SubTypeValidator - // (derivative of #2478) - s.add("org.apache.tomcat.dbcp.dbcp.datasources.PerUserPoolDataSource"); - s.add("org.apache.tomcat.dbcp.dbcp.datasources.SharedPoolDataSource"); +@@ -210,6 +210,11 @@ public class SubTypeValidator + // (derivative of #2469) + s.add("com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool"); + + // [databind#2998]: org.apache.tomcat/tomcat-dbcp (embedded dbcp 2.x) + // (derivative of #2478) + s.add("org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource"); + s.add("org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource"); - ++ DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); } + -- 2.23.0 diff --git a/CVE-2020-36185.patch b/CVE-2020-36185.patch deleted file mode 100644 index ac29432..0000000 --- a/CVE-2020-36185.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 2cf1231703fa3a348ada8fa4491c96ee747bf7ed Mon Sep 17 00:00:00 2001 -From: Tatu Saloranta -Date: Mon, 18 Jan 2021 18:30:47 +0800 -Subject: [PATCH] Fixed #2998 - ---- - .../jackson/databind/jsontype/impl/SubTypeValidator.java | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java -index 3e52fb7..9df94ec 100644 ---- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java -+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java -@@ -210,6 +210,11 @@ public class SubTypeValidator - // (derivative of #2469) - s.add("com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool"); - -+ // [databind#2998]: org.apache.tomcat/tomcat-dbcp (embedded dbcp 2.x) -+ // (derivative of #2478) -+ s.add("org.apache.tomcat.dbcp.dbcp2.datasources.PerUserPoolDataSource"); -+ s.add("org.apache.tomcat.dbcp.dbcp2.datasources.SharedPoolDataSource"); -+ - DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); - } - --- -2.23.0 - diff --git a/jackson-databind.spec b/jackson-databind.spec index e7be99b..664ca6d 100644 --- a/jackson-databind.spec +++ b/jackson-databind.spec @@ -1,6 +1,6 @@ Name: jackson-databind Version: 2.9.8 -Release: 6 +Release: 7 Summary: General data-binding package for Jackson (2.x) License: ASL 2.0 and LGPLv2+ URL: https://github.com/FasterXML/jackson-databind/ @@ -40,12 +40,12 @@ Patch0031: CVE-2020-24616.patch Patch0032: CVE-2020-25649.patch Patch0033: CVE-2020-35490-CVE-2020-35491.patch Patch0034: CVE-2020-35728.patch -Patch0035: CVE-2020-36185.patch +Patch0035: CVE-2020-36184-CVE-2020-36185.patch Patch0036: CVE-2020-36188-CVE-2020-36189.patch Patch0037: CVE-2020-36187-CVE-2020-36186.patch -Patch0038: CVE-2020-36184-CVE-2020-36185.patch #The CVE-2020-36179-36180-36181-36182.patch is used to fix CVE-2020-36179 and CVE-2020-36180 and CVE-2020-36181 and CVE-2020-36182 -Patch0039: CVE-2020-36179-36180-36181-36182.patch +Patch0038: CVE-2020-36179-36180-36181-36182.patch +Patch0039: CVE-2020-36183.patch BuildRequires: maven-local mvn(com.fasterxml.jackson.core:jackson-annotations) >= %{version} BuildRequires: mvn(com.fasterxml.jackson.core:jackson-core) >= %{version} @@ -98,10 +98,12 @@ rm src/test/java/com/fasterxml/jackson/databind/ser/jdk/JDKTypeSerializationTest %license LICENSE NOTICE %changelog +* Fri Jan 22 2021 wangyue - 2.9.8-7 +- fix CVE-2020-36179 CVE-2020-36180 CVE-2020-36181 + CVE-2020-36182 CVE-2020-36183 CVE-2020-36184 + * Thu Jan 21 2021 wangyue - 2.9.8-6 -- fix CVE-2020-36185 CVE-2020-36188 CVE-2020-36189 CVE-2020-36187 - CVE-2020-36186 CVE-2020-36184 CVE-2020-36185 CVE-2020-36179 - CVE-2020-36180 CVE-2020-36181 CVE-2020-36182 +- fix CVE-2020-36188 CVE-2020-36189 CVE-2020-36187 CVE-2020-36186 * Mon Jan 18 2021 wangyue - 2.9.8-5 - fix CVE-2020-36185