commit jackson-databind for openSUSE:Factory
Hello community, here is the log from the commit of package jackson-databind for openSUSE:Factory checked in at 2020-03-26 23:33:05 Comparing /work/SRC/openSUSE:Factory/jackson-databind (Old) and /work/SRC/openSUSE:Factory/.jackson-databind.new.3160 (New) Package is "jackson-databind" Thu Mar 26 23:33:05 2020 rev:4 rq:788433 version:2.10.3 Changes: --- /work/SRC/openSUSE:Factory/jackson-databind/jackson-databind.changes 2020-01-07 23:56:08.840118326 +0100 +++ /work/SRC/openSUSE:Factory/.jackson-databind.new.3160/jackson-databind.changes 2020-03-26 23:33:16.502775059 +0100 @@ -1,0 +2,15 @@ +Thu Mar 26 07:36:52 UTC 2020 - Fridrich Strba + +- Update to 2.10.3 + * #2482: JSONMappingException Location column number is one line +Behind the actual location + * #2599: NoClassDefFoundError at DeserializationContext. on +Android 4.1.2 and Jackson 2.10.0 + * #2602: ByteBufferSerializer produces unexpected results with a +duplicated ByteBuffer and a position > 0 + * #2605: Failure to deserialize polymorphic subtypes of base +type Enum + * #2610: EXTERNAL_PROPERTY doesn't work with +@JsonIgnoreProperties + +--- Old: jackson-databind-2.10.2.tar.gz New: jackson-databind-2.10.3.tar.gz Other differences: -- ++ jackson-databind.spec ++ --- /var/tmp/diff_new_pack.lBA6xo/_old 2020-03-26 23:33:17.102775276 +0100 +++ /var/tmp/diff_new_pack.lBA6xo/_new 2020-03-26 23:33:17.106775277 +0100 @@ -17,7 +17,7 @@ Name: jackson-databind -Version:2.10.2 +Version:2.10.3 Release:0 Summary:General data-binding package for Jackson (2.x) License:Apache-2.0 AND LGPL-2.1-or-later ++ jackson-databind-2.10.2.tar.gz -> jackson-databind-2.10.3.tar.gz ++ 2280 lines of diff (skipped)
commit jackson-databind for openSUSE:Factory
Hello community, here is the log from the commit of package jackson-databind for openSUSE:Factory checked in at 2020-01-07 23:55:31 Comparing /work/SRC/openSUSE:Factory/jackson-databind (Old) and /work/SRC/openSUSE:Factory/.jackson-databind.new.6675 (New) Package is "jackson-databind" Tue Jan 7 23:55:31 2020 rev:3 rq:761587 version:2.10.2 Changes: --- /work/SRC/openSUSE:Factory/jackson-databind/jackson-databind.changes 2019-11-24 00:43:25.711288734 +0100 +++ /work/SRC/openSUSE:Factory/.jackson-databind.new.6675/jackson-databind.changes 2020-01-07 23:56:08.840118326 +0100 @@ -1,0 +2,17 @@ +Tue Jan 7 10:41:52 UTC 2020 - Pedro Monreal Gonzalez + +- Update to 2.10.2 [bsc#1160113, CVE-2019-20330] +#2101: `FAIL_ON_NULL_FOR_PRIMITIVES` failure does not indicate field name in exception message +#2544: java.lang.NoClassDefFoundError Thrown for compact profile1 +#2553: JsonDeserialize(contentAs=...) broken with raw collections +#2556: Contention in `TypeNameIdResolver.idFromClass()` +#2560: Check `WRAP_EXCEPTIONS` in `CollectionDeserializer.handleNonArray()` +#2564: Fix `IllegalArgumentException` on empty input collection for `ArrayBlockingQueue` +#2566: `MissingNode.toString()` returns `null` (4 character token) instead of empty string +#2567: Incorrect target type for arrays when providing nulls and nulls are disabled +#2573: Problem with `JsonInclude` config overrides for `java.util.Map` +#2576: Fail to serialize `Enum` instance which includes a method override + as POJO (shape = Shape.OBJECT) +Fix an issue with `ObjectReader.with(JsonParser.Feature)` (and related) not working + +--- Old: jackson-databind-2.10.1.tar.gz New: jackson-databind-2.10.2.tar.gz Other differences: -- ++ jackson-databind.spec ++ --- /var/tmp/diff_new_pack.oAdI1Q/_old 2020-01-07 23:56:10.340119105 +0100 +++ /var/tmp/diff_new_pack.oAdI1Q/_new 2020-01-07 23:56:10.348119109 +0100 @@ -1,7 +1,7 @@ # # spec file for package jackson-databind # -# Copyright (c) 2019 SUSE LLC. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,7 +17,7 @@ Name: jackson-databind -Version:2.10.1 +Version:2.10.2 Release:0 Summary:General data-binding package for Jackson (2.x) License:Apache-2.0 AND LGPL-2.1-or-later ++ jackson-databind-2.10.1.tar.gz -> jackson-databind-2.10.2.tar.gz ++ 2189 lines of diff (skipped)
commit jackson-databind for openSUSE:Factory
Hello community, here is the log from the commit of package jackson-databind for openSUSE:Factory checked in at 2019-11-24 00:43:24 Comparing /work/SRC/openSUSE:Factory/jackson-databind (Old) and /work/SRC/openSUSE:Factory/.jackson-databind.new.26869 (New) Package is "jackson-databind" Sun Nov 24 00:43:24 2019 rev:2 rq:750406 version:2.10.1 Changes: --- /work/SRC/openSUSE:Factory/jackson-databind/jackson-databind.changes 2019-10-31 18:13:45.765917028 +0100 +++ /work/SRC/openSUSE:Factory/.jackson-databind.new.26869/jackson-databind.changes 2019-11-24 00:43:25.711288734 +0100 @@ -1,0 +2,197 @@ +Tue Nov 19 15:24:49 UTC 2019 - Pedro Monreal Gonzalez + +- Update to 2.10.1 [bsc#1157186, CVE-2019-14893] + * 2.10.1 (09-Nov-2019) +#2457: Extended enum values are not handled as enums when used as Map keys +#2473: Array index missing in path of 'JsonMappingException' for 'Collection', + with custom deserializer +#2475: 'StringCollectionSerializer' calls 'JsonGenerator.setCurrentValue(value)', + which messes up current value for sibling properties +#2485: Add 'uses' for 'Module' in module-info +#2513: BigDecimalAsStringSerializer in NumberSerializer throws IllegalStateException in 2.10 +#2519: Serializing 'BigDecimal' values inside containers ignores shape override +#2520: Sub-optimal exception message when failing to deserialize non-static inner classes +#2529: Add tests to ensure 'EnumSet' and 'EnumMap' work correctly with "null-as-empty" +#2534: Add 'BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray()' +#2535: Allow String-to-byte[] coercion for String-value collections + * 2.10.0 (26-Sep-2019) +#18: Make 'JsonNode' serializable +#1093: Default typing does not work with 'writerFor(Object.class)' +#1675: Remove "impossible" 'IOException' in 'readTree()' and 'readValue()' 'ObjectMapper' + methods which accept Strings +#1954: Add Builder pattern for creating configured 'ObjectMapper' instances +#1995: Limit size of 'DeserializerCache', auto-flush on exceeding +#2059: Remove 'final' modifier for 'TypeFactory' +#2077: 'JsonTypeInfo' with a subtype having 'JsonFormat.Shape.ARRAY' and + no fields generates '{}' not '[]' +#2115: Support naive deserialization of 'Serializable' values as "untyped", same + as 'java.lang.Object' +#2116: Make NumberSerializers.Base public and its inherited classes not final +#2126: 'DeserializationContext.instantiationException()' throws 'InvalidDefinitionException' +#2129: Add 'SerializationFeature.WRITE_ENUM_KEYS_USING_INDEX', separate from value setting +#2133: Improve 'DeserializationProblemHandler.handleUnexpectedToken()' to allow handling of + Collection problems +#2149: Add 'MapperFeature.ACCEPT_CASE_INSENSITIVE_VALUES' +#2153: Add 'JsonMapper' to replace generic 'ObjectMapper' usage +#2164: 'FactoryBasedEnumDeserializer' does not respect + 'DeserializationFeature.WRAP_EXCEPTIONS' +#2187: Make 'JsonNode.toString()' use shared 'ObjectMapper' to produce valid json +#2189: 'TreeTraversingParser' does not check int bounds +#2195: Add abstraction 'PolymorphicTypeValidator', for limiting subtypes allowed by + default typing, '@JsonTypeInfo' +#2196: Type safety for 'readValue()' with 'TypeReference' +#2204: Add 'JsonNode.isEmpty()' as convenience alias +#2211: Change of behavior (2.8 -> 2.9) with 'ObjectMapper.readTree(input)' with no content +#2217: Suboptimal memory allocation in 'TextNode.getBinaryValue()' +#2220: Force serialization always for 'convertValue()'; avoid short-cuts +#2223: Add 'missingNode()' method in 'JsonNodeFactory' +#2227: Minor cleanup of exception message for 'Enum' binding failure +#2230: 'WRITE_BIGDECIMAL_AS_PLAIN' is ignored if '@JsonFormat' is used +#2236: Type id not provided on 'Double.NaN', 'Infinity' with '@JsonTypeInfo' +#2237: Add "required" methods in 'JsonNode': 'required(String | int)', + 'requiredAt(JsonPointer)' +#2241: Add 'PropertyNamingStrategy.LOWER_DOT_CASE' for dot-delimited names +#2251: Getter that returns an abstract collection breaks a delegating '@JsonCreator' +#2265: Inconsistent handling of Collections$UnmodifiableList vs + Collections$UnmodifiableRandomAccessListq +#2273: Add basic Java 9+ module info +#2280: JsonMerge not work with constructor args +#2309: READ_ENUMS_USING_TO_STRING doesn't support null values +#2311: Unnecessary MultiView creation for property writers +#2331: 'JsonMappingException' through nested getter with generic wildcard return type +#2336: 'MapDeserializer' can not merge 'Map's with polymorphic values +#2338: Suboptimal
commit jackson-databind for openSUSE:Factory
Hello community, here is the log from the commit of package jackson-databind for openSUSE:Factory checked in at 2019-10-31 18:13:40 Comparing /work/SRC/openSUSE:Factory/jackson-databind (Old) and /work/SRC/openSUSE:Factory/.jackson-databind.new.2990 (New) Package is "jackson-databind" Thu Oct 31 18:13:40 2019 rev:1 rq:734362 version:2.9.4 Changes: New Changes file: --- /dev/null 2019-10-24 10:19:07.066239389 +0200 +++ /work/SRC/openSUSE:Factory/.jackson-databind.new.2990/jackson-databind.changes 2019-10-31 18:13:45.765917028 +0100 @@ -0,0 +1,4 @@ +--- +Tue Oct 1 13:59:49 UTC 2019 - Fridrich Strba + +- Initial packaging of jackson-databind 2.9.4 New: CVE-2018-7489.patch jackson-databind-2.9.4.tar.gz jackson-databind.changes jackson-databind.spec Other differences: -- ++ jackson-databind.spec ++ # # spec file for package jackson-databind # # Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via https://bugs.opensuse.org/ # Name: jackson-databind Version:2.9.4 Release:0 Summary:General data-binding package for Jackson (2.x) License:Apache-2.0 AND LGPL-2.1-or-later URL:https://github.com/FasterXML/jackson-databind/ Source0: https://github.com/FasterXML/jackson-databind/archive/%{name}-%{version}.tar.gz # Taken from https://github.com/FasterXML/jackson-databind/commit/6799f8f10cc78e9af6d443ed6982d00a13f2e7d2 Patch0: CVE-2018-7489.patch BuildRequires: fdupes BuildRequires: maven-local BuildRequires: mvn(com.fasterxml.jackson.core:jackson-annotations) >= %{version} BuildRequires: mvn(com.fasterxml.jackson.core:jackson-core) >= %{version} BuildRequires: mvn(com.fasterxml.jackson:jackson-base:pom:) >= %{version} BuildRequires: mvn(com.google.code.maven-replacer-plugin:replacer) BuildRequires: mvn(org.apache.bcel:bcel) BuildRequires: mvn(org.apache.felix:maven-bundle-plugin) BuildArch: noarch %description The general-purpose data-binding functionality and tree-model for Jackson Data Processor. It builds on core streaming parser/generator package, and uses Jackson Annotations for configuration. %package javadoc Summary:Javadoc for %{name} %description javadoc This package contains API documentation for %{name}. %prep %setup -q -n %{name}-%{name}-%{version} %patch0 -p1 # Remove plugins unnecessary for RPM builds %pom_remove_plugin ":maven-enforcer-plugin" cp -p src/main/resources/META-INF/LICENSE . cp -p src/main/resources/META-INF/NOTICE . sed -i 's/\r//' LICENSE NOTICE # The package com.sun.org.apache.bcel.internal.util is not present in latest OpenJDK %pom_add_dep org.apache.bcel:bcel sed -i 's/com\.sun\.org\.apache\.bcel\.internal\.util/org\.apache\.bcel\.util/g' \ src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java \ src/test/java/com/fasterxml/jackson/databind/interop/IllegalTypesCheckTest.java %{mvn_file} : %{name} %build %{mvn_build} -f -- -Dsource=7 %install %mvn_install %fdupes -s %{buildroot}%{_javadocdir} %files -f .mfiles %doc README.md release-notes/* %license LICENSE NOTICE %files javadoc -f .mfiles-javadoc %license LICENSE NOTICE %changelog ++ CVE-2018-7489.patch ++ diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java index 164ab3454..bdd3b2f4e 100644 --- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java @@ -19,7 +19,10 @@ import com.fasterxml.jackson.databind.JsonMappingException; */ public class SubTypeValidator { -protected final static String PREFIX_STRING = "org.springframework."; +protected final static String PREFIX_SPRING = "org.springframework."; + +protected final static String PREFIX_C3P0 = "com.mchange.v2.c3p0."; + /** * Set of well-known "nasty classes", deserialization of which is considered dangerous * and should (and is)