commit jackson-databind for openSUSE:Factory
Hello community, here is the log from the commit of package jackson-databind for openSUSE:Factory checked in at 2020-03-26 23:33:05 Comparing /work/SRC/openSUSE:Factory/jackson-databind (Old) and /work/SRC/openSUSE:Factory/.jackson-databind.new.3160 (New) Package is "jackson-databind" Thu Mar 26 23:33:05 2020 rev:4 rq:788433 version:2.10.3 Changes: --- /work/SRC/openSUSE:Factory/jackson-databind/jackson-databind.changes 2020-01-07 23:56:08.840118326 +0100 +++ /work/SRC/openSUSE:Factory/.jackson-databind.new.3160/jackson-databind.changes 2020-03-26 23:33:16.502775059 +0100 @@ -1,0 +2,15 @@ +Thu Mar 26 07:36:52 UTC 2020 - Fridrich Strba + +- Update to 2.10.3 + * #2482: JSONMappingException Location column number is one line +Behind the actual location + * #2599: NoClassDefFoundError at DeserializationContext. on +Android 4.1.2 and Jackson 2.10.0 + * #2602: ByteBufferSerializer produces unexpected results with a +duplicated ByteBuffer and a position > 0 + * #2605: Failure to deserialize polymorphic subtypes of base +type Enum + * #2610: EXTERNAL_PROPERTY doesn't work with +@JsonIgnoreProperties + +--- Old: jackson-databind-2.10.2.tar.gz New: jackson-databind-2.10.3.tar.gz Other differences: -- ++ jackson-databind.spec ++ --- /var/tmp/diff_new_pack.lBA6xo/_old 2020-03-26 23:33:17.102775276 +0100 +++ /var/tmp/diff_new_pack.lBA6xo/_new 2020-03-26 23:33:17.106775277 +0100 @@ -17,7 +17,7 @@ Name: jackson-databind -Version:2.10.2 +Version:2.10.3 Release:0 Summary:General data-binding package for Jackson (2.x) License:Apache-2.0 AND LGPL-2.1-or-later ++ jackson-databind-2.10.2.tar.gz -> jackson-databind-2.10.3.tar.gz ++ 2280 lines of diff (skipped)
commit jackson-databind for openSUSE:Factory
Hello community, here is the log from the commit of package jackson-databind for openSUSE:Factory checked in at 2020-01-07 23:55:31 Comparing /work/SRC/openSUSE:Factory/jackson-databind (Old) and /work/SRC/openSUSE:Factory/.jackson-databind.new.6675 (New) Package is "jackson-databind" Tue Jan 7 23:55:31 2020 rev:3 rq:761587 version:2.10.2 Changes: --- /work/SRC/openSUSE:Factory/jackson-databind/jackson-databind.changes 2019-11-24 00:43:25.711288734 +0100 +++ /work/SRC/openSUSE:Factory/.jackson-databind.new.6675/jackson-databind.changes 2020-01-07 23:56:08.840118326 +0100 @@ -1,0 +2,17 @@ +Tue Jan 7 10:41:52 UTC 2020 - Pedro Monreal Gonzalez + +- Update to 2.10.2 [bsc#1160113, CVE-2019-20330] +#2101: `FAIL_ON_NULL_FOR_PRIMITIVES` failure does not indicate field name in exception message +#2544: java.lang.NoClassDefFoundError Thrown for compact profile1 +#2553: JsonDeserialize(contentAs=...) broken with raw collections +#2556: Contention in `TypeNameIdResolver.idFromClass()` +#2560: Check `WRAP_EXCEPTIONS` in `CollectionDeserializer.handleNonArray()` +#2564: Fix `IllegalArgumentException` on empty input collection for `ArrayBlockingQueue` +#2566: `MissingNode.toString()` returns `null` (4 character token) instead of empty string +#2567: Incorrect target type for arrays when providing nulls and nulls are disabled +#2573: Problem with `JsonInclude` config overrides for `java.util.Map` +#2576: Fail to serialize `Enum` instance which includes a method override + as POJO (shape = Shape.OBJECT) +Fix an issue with `ObjectReader.with(JsonParser.Feature)` (and related) not working + +--- Old: jackson-databind-2.10.1.tar.gz New: jackson-databind-2.10.2.tar.gz Other differences: -- ++ jackson-databind.spec ++ --- /var/tmp/diff_new_pack.oAdI1Q/_old 2020-01-07 23:56:10.340119105 +0100 +++ /var/tmp/diff_new_pack.oAdI1Q/_new 2020-01-07 23:56:10.348119109 +0100 @@ -1,7 +1,7 @@ # # spec file for package jackson-databind # -# Copyright (c) 2019 SUSE LLC. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: jackson-databind -Version:2.10.1 +Version:2.10.2 Release:0 Summary:General data-binding package for Jackson (2.x) License:Apache-2.0 AND LGPL-2.1-or-later ++ jackson-databind-2.10.1.tar.gz -> jackson-databind-2.10.2.tar.gz ++ 2189 lines of diff (skipped)
commit jackson-databind for openSUSE:Factory
Hello community,
here is the log from the commit of package jackson-databind for
openSUSE:Factory checked in at 2019-11-24 00:43:24
Comparing /work/SRC/openSUSE:Factory/jackson-databind (Old)
and /work/SRC/openSUSE:Factory/.jackson-databind.new.26869 (New)
Package is "jackson-databind"
Sun Nov 24 00:43:24 2019 rev:2 rq:750406 version:2.10.1
Changes:
--- /work/SRC/openSUSE:Factory/jackson-databind/jackson-databind.changes
2019-10-31 18:13:45.765917028 +0100
+++
/work/SRC/openSUSE:Factory/.jackson-databind.new.26869/jackson-databind.changes
2019-11-24 00:43:25.711288734 +0100
@@ -1,0 +2,197 @@
+Tue Nov 19 15:24:49 UTC 2019 - Pedro Monreal Gonzalez
+
+- Update to 2.10.1 [bsc#1157186, CVE-2019-14893]
+ * 2.10.1 (09-Nov-2019)
+#2457: Extended enum values are not handled as enums when used as Map keys
+#2473: Array index missing in path of 'JsonMappingException' for
'Collection',
+ with custom deserializer
+#2475: 'StringCollectionSerializer' calls
'JsonGenerator.setCurrentValue(value)',
+ which messes up current value for sibling properties
+#2485: Add 'uses' for 'Module' in module-info
+#2513: BigDecimalAsStringSerializer in NumberSerializer throws
IllegalStateException in 2.10
+#2519: Serializing 'BigDecimal' values inside containers ignores shape
override
+#2520: Sub-optimal exception message when failing to deserialize
non-static inner classes
+#2529: Add tests to ensure 'EnumSet' and 'EnumMap' work correctly with
"null-as-empty"
+#2534: Add 'BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray()'
+#2535: Allow String-to-byte[] coercion for String-value collections
+ * 2.10.0 (26-Sep-2019)
+#18: Make 'JsonNode' serializable
+#1093: Default typing does not work with 'writerFor(Object.class)'
+#1675: Remove "impossible" 'IOException' in 'readTree()' and 'readValue()'
'ObjectMapper'
+ methods which accept Strings
+#1954: Add Builder pattern for creating configured 'ObjectMapper' instances
+#1995: Limit size of 'DeserializerCache', auto-flush on exceeding
+#2059: Remove 'final' modifier for 'TypeFactory'
+#2077: 'JsonTypeInfo' with a subtype having 'JsonFormat.Shape.ARRAY' and
+ no fields generates '{}' not '[]'
+#2115: Support naive deserialization of 'Serializable' values as
"untyped", same
+ as 'java.lang.Object'
+#2116: Make NumberSerializers.Base public and its inherited classes not
final
+#2126: 'DeserializationContext.instantiationException()' throws
'InvalidDefinitionException'
+#2129: Add 'SerializationFeature.WRITE_ENUM_KEYS_USING_INDEX', separate
from value setting
+#2133: Improve 'DeserializationProblemHandler.handleUnexpectedToken()' to
allow handling of
+ Collection problems
+#2149: Add 'MapperFeature.ACCEPT_CASE_INSENSITIVE_VALUES'
+#2153: Add 'JsonMapper' to replace generic 'ObjectMapper' usage
+#2164: 'FactoryBasedEnumDeserializer' does not respect
+ 'DeserializationFeature.WRAP_EXCEPTIONS'
+#2187: Make 'JsonNode.toString()' use shared 'ObjectMapper' to produce
valid json
+#2189: 'TreeTraversingParser' does not check int bounds
+#2195: Add abstraction 'PolymorphicTypeValidator', for limiting subtypes
allowed by
+ default typing, '@JsonTypeInfo'
+#2196: Type safety for 'readValue()' with 'TypeReference'
+#2204: Add 'JsonNode.isEmpty()' as convenience alias
+#2211: Change of behavior (2.8 -> 2.9) with 'ObjectMapper.readTree(input)'
with no content
+#2217: Suboptimal memory allocation in 'TextNode.getBinaryValue()'
+#2220: Force serialization always for 'convertValue()'; avoid short-cuts
+#2223: Add 'missingNode()' method in 'JsonNodeFactory'
+#2227: Minor cleanup of exception message for 'Enum' binding failure
+#2230: 'WRITE_BIGDECIMAL_AS_PLAIN' is ignored if '@JsonFormat' is used
+#2236: Type id not provided on 'Double.NaN', 'Infinity' with
'@JsonTypeInfo'
+#2237: Add "required" methods in 'JsonNode': 'required(String | int)',
+ 'requiredAt(JsonPointer)'
+#2241: Add 'PropertyNamingStrategy.LOWER_DOT_CASE' for dot-delimited names
+#2251: Getter that returns an abstract collection breaks a delegating
'@JsonCreator'
+#2265: Inconsistent handling of Collections$UnmodifiableList vs
+ Collections$UnmodifiableRandomAccessListq
+#2273: Add basic Java 9+ module info
+#2280: JsonMerge not work with constructor args
+#2309: READ_ENUMS_USING_TO_STRING doesn't support null values
+#2311: Unnecessary MultiView creation for property writers
+#2331: 'JsonMappingException' through nested getter with generic wildcard
return type
+#2336: 'MapDeserializer' can not merge 'Map's with polymorphic values
+#2338: Suboptimal
commit jackson-databind for openSUSE:Factory
Hello community,
here is the log from the commit of package jackson-databind for
openSUSE:Factory checked in at 2019-10-31 18:13:40
Comparing /work/SRC/openSUSE:Factory/jackson-databind (Old)
and /work/SRC/openSUSE:Factory/.jackson-databind.new.2990 (New)
Package is "jackson-databind"
Thu Oct 31 18:13:40 2019 rev:1 rq:734362 version:2.9.4
Changes:
New Changes file:
--- /dev/null 2019-10-24 10:19:07.066239389 +0200
+++
/work/SRC/openSUSE:Factory/.jackson-databind.new.2990/jackson-databind.changes
2019-10-31 18:13:45.765917028 +0100
@@ -0,0 +1,4 @@
+---
+Tue Oct 1 13:59:49 UTC 2019 - Fridrich Strba
+
+- Initial packaging of jackson-databind 2.9.4
New:
CVE-2018-7489.patch
jackson-databind-2.9.4.tar.gz
jackson-databind.changes
jackson-databind.spec
Other differences:
--
++ jackson-databind.spec ++
#
# spec file for package jackson-databind
#
# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
Name: jackson-databind
Version:2.9.4
Release:0
Summary:General data-binding package for Jackson (2.x)
License:Apache-2.0 AND LGPL-2.1-or-later
URL:https://github.com/FasterXML/jackson-databind/
Source0:
https://github.com/FasterXML/jackson-databind/archive/%{name}-%{version}.tar.gz
# Taken from
https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2
Patch0: CVE-2018-7489.patch
BuildRequires: fdupes
BuildRequires: maven-local
BuildRequires: mvn(com.fasterxml.jackson.core:jackson-annotations) >=
%{version}
BuildRequires: mvn(com.fasterxml.jackson.core:jackson-core) >= %{version}
BuildRequires: mvn(com.fasterxml.jackson:jackson-base:pom:) >= %{version}
BuildRequires: mvn(com.google.code.maven-replacer-plugin:replacer)
BuildRequires: mvn(org.apache.bcel:bcel)
BuildRequires: mvn(org.apache.felix:maven-bundle-plugin)
BuildArch: noarch
%description
The general-purpose data-binding functionality and tree-model for Jackson Data
Processor. It builds on core streaming parser/generator package, and uses
Jackson Annotations for configuration.
%package javadoc
Summary:Javadoc for %{name}
%description javadoc
This package contains API documentation for %{name}.
%prep
%setup -q -n %{name}-%{name}-%{version}
%patch0 -p1
# Remove plugins unnecessary for RPM builds
%pom_remove_plugin ":maven-enforcer-plugin"
cp -p src/main/resources/META-INF/LICENSE .
cp -p src/main/resources/META-INF/NOTICE .
sed -i 's/\r//' LICENSE NOTICE
# The package com.sun.org.apache.bcel.internal.util is not present in latest
OpenJDK
%pom_add_dep org.apache.bcel:bcel
sed -i
's/com\.sun\.org\.apache\.bcel\.internal\.util/org\.apache\.bcel\.util/g' \
src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
\
src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java
%{mvn_file} : %{name}
%build
%{mvn_build} -f -- -Dsource=7
%install
%mvn_install
%fdupes -s %{buildroot}%{_javadocdir}
%files -f .mfiles
%doc README.md release-notes/*
%license LICENSE NOTICE
%files javadoc -f .mfiles-javadoc
%license LICENSE NOTICE
%changelog
++ CVE-2018-7489.patch ++
diff --git
a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
index 164ab3454..bdd3b2f4e 100644
---
a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+++
b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -19,7 +19,10 @@ import com.fasterxml.jackson.databind.JsonMappingException;
*/
public class SubTypeValidator
{
-protected final static String PREFIX_STRING = "org.springframework.";
+protected final static String PREFIX_SPRING = "org.springframework.";
+
+protected final static String PREFIX_C3P0 = "com.mchange.v2.c3p0.";
+
/**
* Set of well-known "nasty classes", deserialization of which is
considered dangerous
* and should (and is)
