Markus Koschany pushed to branch buster at Debian Java Maintainers / jackson-databind
Commits: 9f2e3ad2 by Adrian Bunk at 2023-05-01T00:17:09+03:00 DLA 2.9.8-3+deb10u5 - - - - - 2cf4047f by Markus Koschany at 2023-04-30T21:29:03+00:00 Merge branch 'buster' into 'buster' DLA 2.9.8-3+deb10u5 See merge request java-team/jackson-databind!2 - - - - - 3 changed files: - debian/changelog - + debian/patches/0001-Fix-2658.patch - debian/patches/series Changes: ===================================== debian/changelog ===================================== @@ -1,3 +1,10 @@ +jackson-databind (2.9.8-3+deb10u5) buster-security; urgency=medium + + * Non-maintainer upload by the LTS Security Team. + * CVE-2020-10650: Block one more gadget type (ignite-jta). + + -- Adrian Bunk <[email protected]> Sun, 30 Apr 2023 18:36:34 +0300 + jackson-databind (2.9.8-3+deb10u4) buster-security; urgency=high * Team upload. ===================================== debian/patches/0001-Fix-2658.patch ===================================== @@ -0,0 +1,21 @@ +From a424c038ba0c0d65e579e22001dec925902ac0ef Mon Sep 17 00:00:00 2001 +From: Tatu Saloranta <[email protected]> +Date: Sun, 15 Mar 2020 17:28:51 -0700 +Subject: Fix #2658 + +Index: jackson-databind-2.9.8/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +=================================================================== +--- jackson-databind-2.9.8.orig/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java ++++ jackson-databind-2.9.8/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +@@ -237,6 +237,11 @@ public class SubTypeValidator + // [databind#3003]: another case of embedded Xalan (derivative of #2469) + s.add("org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool"); + ++ // [databind#2658]: ignite-jta (, quartz-core) ++ s.add("org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup"); ++ s.add("org.apache.ignite.cache.jta.jndi.CacheJndiTmFactory"); ++ s.add("org.quartz.utils.JNDIConnectionProvider"); ++ + DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); + } + ===================================== debian/patches/series ===================================== @@ -10,3 +10,4 @@ CVE-2020-361{79-90}.patch CVE-2022-42003.patch CVE-2022-42004.patch CVE-2020-36518.patch +0001-Fix-2658.patch View it on GitLab: https://salsa.debian.org/java-team/jackson-databind/-/compare/c0e0f354edf764683c1cfddd29c764b354a68911...2cf4047f4fc44eaa9714f381db76f9019f895186 -- View it on GitLab: https://salsa.debian.org/java-team/jackson-databind/-/compare/c0e0f354edf764683c1cfddd29c764b354a68911...2cf4047f4fc44eaa9714f381db76f9019f895186 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ pkg-java-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-commits
