From dd4c5acb321a6aa9ca230aa505266fb2dd2f90ff Mon Sep 17 00:00:00 2001 From: Tatu Saloranta Date: Tue, 23 Jul 2019 20:35:51 -0700 Subject: [PATCH 1/6] Bacport #2331 in 2.9 (for 2.9.10) --- release-notes/VERSION-2.x | 1 + .../jackson/databind/type/ResolvedRecursiveType.java | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x index 17669bdada..f20c97f0ba 100644 --- a/release-notes/VERSION-2.x +++ b/release-notes/VERSION-2.x @@ -6,6 +6,7 @@ Project: jackson-databind 2.9.9.1 (03-Jul-2019) +#2331: `JsonMappingException` through nested getter with generic wildcard return type #2334: Block one more gadget type (CVE-2019-12384) #2341: Block one more gadget type (CVE-2019-12814) #2374: `ObjectMapper. getRegisteredModuleIds()` throws NPE if no modules registered diff --git a/src/main/java/com/fasterxml/jackson/databind/type/ResolvedRecursiveType.java b/src/main/java/com/fasterxml/jackson/databind/type/ResolvedRecursiveType.java index d45e1d6fa6..7a697442fc 100644 --- a/src/main/java/com/fasterxml/jackson/databind/type/ResolvedRecursiveType.java +++ b/src/main/java/com/fasterxml/jackson/databind/type/ResolvedRecursiveType.java @@ -36,6 +36,12 @@ public JavaType getSuperClass() { public JavaType getSelfReferencedType() { return _referencedType; } + // 23-Jul-2019, tatu: [databind#2331] Need to also delegate this... + @Override + public TypeBindings getBindings() { + return _referencedType.getBindings(); + } + @Override public StringBuilder getGenericSignature(StringBuilder sb) { return _referencedType.getGenericSignature(sb); From 322ae225cbcd07178a634e548d991b0aec6b47bf Mon Sep 17 00:00:00 2001 From: Tatu Saloranta Date: Thu, 25 Jul 2019 21:57:14 -0700 Subject: [PATCH 2/6] Prepare for 2.7.9.6 micro-patch --- release-notes/VERSION | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/release-notes/VERSION b/release-notes/VERSION index f31547b680..421a229ad5 100644 --- a/release-notes/VERSION +++ b/release-notes/VERSION @@ -4,12 +4,14 @@ Project: jackson-databind === Releases === ------------------------------------------------------------------------ -Not yet released +2.7.9.6 (26-Jul-2019) #2326: Block class for CVE-2019-12086 (contributed by MaximilianTews@github) #2334: Block class for CVE-2019-12384 #2341: Block class for CVE-2019-12814 +#2387: Block yet another deserialization gadget (EHCache, CVE-2019-xxxxx?) +#2389: Block yet another deserialization gadget (Logback, CVE-2019-xxxxx?) 2.7.9.5 (23-Nov-2018) From ad418eeb974e357f2797aef64aa0e3ffaaa6125b Mon Sep 17 00:00:00 2001 From: Tatu Saloranta Date: Thu, 25 Jul 2019 21:58:11 -0700 Subject: [PATCH 3/6] Backport #2387, #2389 fixes --- .../jackson/databind/jsontype/impl/SubTypeValidator.java | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java index c4d7f38272..fa7ff2368b 100644 --- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java @@ -89,6 +89,12 @@ public class SubTypeValidator s.add("org.jdom.transform.XSLTransformer"); s.add("org.jdom2.transform.XSLTransformer"); + // [databind#2387]: EHCache + s.add("net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup"); + + // [databind#2389]: logback/jndi + s.add("ch.qos.logback.core.db.JNDIConnectionSource"); + DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); } From 97986cb157d9d1da1256b24ea01b6c9f03b736dd Mon Sep 17 00:00:00 2001 From: Tatu Saloranta Date: Thu, 25 Jul 2019 22:00:07 -0700 Subject: [PATCH 4/6] [maven-release-plugin] prepare release jackson-databind-2.7.9.6 --- pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index 4117e5aede..9e70dc3970 100644 --- a/pom.xml +++ b/pom.xml @@ -10,7 +10,7 @@ com.fasterxml.jackson.core jackson-databind - 2.7.9.6-SNAPSHOT + 2.7.9.6 jackson-databind bundle General data-binding functionality for Jackson: works on core streaming API @@ -21,7 +21,7 @@ scm:git:git@github.com:FasterXML/jackson-databind.git scm:git:git@github.com:FasterXML/jackson-databind.git http://github.com/FasterXML/jackson-databind - HEAD + jackson-databind-2.7.9.6 From f8a63831348eccf8c8bf33f802d391490347e813 Mon Sep 17 00:00:00 2001 From: Tatu Saloranta Date: Thu, 25 Jul 2019 22:00:16 -0700 Subject: [PATCH 5/6] [maven-release-plugin] prepare for next development iteration --- pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pom.xml b/pom.xml index 9e70dc3970..a1ef1a7e30 100644 --- a/pom.xml +++ b/pom.xml @@ -10,7 +10,7 @@ com.fasterxml.jackson.core jackson-databind - 2.7.9.6 + 2.7.9.7-SNAPSHOT jackson-databind bundle General data-binding functionality for Jackson: works on core streaming API @@ -21,7 +21,7 @@ scm:git:git@github.com:FasterXML/jackson-databind.git scm:git:git@github.com:FasterXML/jackson-databind.git http://github.com/FasterXML/jackson-databind - jackson-databind-2.7.9.6 + HEAD From 68d3aa40791ad0b791cc9a5a25239d5c84d1510f Mon Sep 17 00:00:00 2001 From: Tatu Saloranta Date: Thu, 25 Jul 2019 22:30:51 -0700 Subject: [PATCH 6/6] ... --- release-notes/VERSION | 4 ---- 1 file changed, 4 deletions(-) diff --git a/release-notes/VERSION b/release-notes/VERSION index 4adc8fee1b..7a7cbdc0a2 100644 --- a/release-notes/VERSION +++ b/release-notes/VERSION @@ -3,11 +3,7 @@ Project: jackson-databind === Releases === ------------------------------------------------------------------------ -<<<<<<< HEAD 2.8.11.4 (not released) -======= -2.7.9.6 (26-Jul-2019) ->>>>>>> 2.7 #2326: Block one more gadget type (CVE-2019-12086) #2334: Block class for CVE-2019-12384