debian/changelog

+jackson-core (2.9.8-1) unstable; urgency=medium
+
+  * Team upload.
+  * New upstream release
+    - Refreshed the patches
+    - Updated the extra poms installed with the package
+    - Updated the path of the upstream changelog
+  * Standards-Version updated to 4.3.0
+  * Use salsa.debian.org Vcs-* URLs
+
+ -- Emmanuel Bourg <ebourg@apache.org>  Fri, 28 Dec 2018 23:57:46 +0100
+
 jackson-core (2.9.4-1) unstable; urgency=medium
 
   * Team upload.

debian/control

@@ -16,9 +16,9 @@ Build-Depends-Indep:
  libmaven-enforcer-plugin-java,
  libmaven-javadoc-plugin-java,
  libreplacer-java
-Standards-Version: 4.1.3
-Vcs-Git: https://anonscm.debian.org/git/pkg-java/jackson-core.git
-Vcs-Browser: https://anonscm.debian.org/cgit/pkg-java/jackson-core.git
+Standards-Version: 4.3.0
+Vcs-Git: https://salsa.debian.org/java-team/jackson-core.git
+Vcs-Browser: https://salsa.debian.org/java-team/jackson-core
 Homepage: http://wiki.fasterxml.com/JacksonHome
 
 Package: libjackson2-core-java

debian/jackson-base-2.9.4.pom → debian/jackson-base-2.9.8.pom

@@ -4,7 +4,7 @@
   <parent>
     <groupId>com.fasterxml.jackson</groupId>
     <artifactId>jackson-bom</artifactId>
-    <version>2.9.4</version>
+    <version>2.9.8</version>
   </parent>
   <artifactId>jackson-base</artifactId>
   <packaging>pom</packaging>
@@ -18,12 +18,6 @@ of Jackson: application code should only rely on `jackson-bom`
         (but some core components require override)
       -->
     <jdk.module.name>${packageVersion.package}</jdk.module.name>
-
-    <!-- 27-Sep-2017, tatu: Until update of parent poms (at least), need to
-           ensure newer versions of certain plugins
-      -->
-    <version.plugin.javadoc>3.0.0-M1</version.plugin.javadoc>
-
   </properties>
 
   <dependencies>
@@ -34,16 +28,26 @@ of Jackson: application code should only rely on `jackson-bom`
     </dependency>
   </dependencies>
 
+    <dependencyManagement>
+        <dependencies>
+            <!-- JPMS Libraries-->
+            <dependency>
+                <groupId>javax.activation</groupId>
+                <artifactId>javax.activation-api</artifactId>
+                <version>${javax.activation.version}</version>
+            </dependency>
+        </dependencies>
+
+    </dependencyManagement>
+
     <build>
     <pluginManagement>
       <plugins>
-
         <!-- Verify existence of certain settings
           -->
         <plugin>
           <groupId>org.apache.maven.plugins</groupId>
           <artifactId>maven-enforcer-plugin</artifactId>
-          <version>3.0.0-M1</version>
           <executions>
             <execution>
               <id>enforce-java</id>
@@ -57,6 +61,13 @@ of Jackson: application code should only rely on `jackson-bom`
                   <version>[3.0,)</version>
                   <message>[ERROR] The currently supported version of Maven is 3.0 or higher</message>
                 </requireMavenVersion>
+                <requirePluginVersions>
+                  <banLatest>true</banLatest>
+                  <banRelease>true</banRelease>
+                  <banSnapshots>true</banSnapshots>
+                  <phases>clean,deploy,site</phases>
+                  <message>[ERROR] Best Practice is to always define plugin versions!</message>
+                </requirePluginVersions>
 	      </rules>
 	      </configuration>
 	    </execution>
@@ -100,10 +111,11 @@ of Jackson: application code should only rely on `jackson-bom`
 	<plugin>
           <groupId>org.apache.maven.plugins</groupId>
           <artifactId>maven-javadoc-plugin</artifactId>
-          <version>${version.plugin.javadoc}</version>
           <configuration>
 <!-- Disable Java 8 javadoc warnings -->
+<!-- 26-Mar-2018: Not for 2.9... (was left in for 2.9.5, alas)
             <additionalparam>-Xdoclint:none</additionalparam>
+-->
 <!-- ... if on Java 8 -->
 <!-- otherwise just: -->
             <failOnError>false</failOnError>
@@ -123,13 +135,6 @@ of Jackson: application code should only rely on `jackson-bom`
             </execution>
           </executions>
 	</plugin>
-
-	<!-- 08-Aug-2017, tatu: Need newer version of cobertura wrt Java 8+ -->
-	<plugin>
-          <groupId>org.codehaus.mojo</groupId>
-          <artifactId>cobertura-maven-plugin</artifactId>
-          <version>2.7</version>
-	</plugin>
       </plugins>
     </pluginManagement>
 

debian/jackson-bom-2.9.4.pom → debian/jackson-bom-2.9.8.pom

@@ -6,11 +6,11 @@
     <groupId>com.fasterxml.jackson</groupId>
     <artifactId>jackson-parent</artifactId>
     <!-- note: does NOT change for every version of bom -->
-    <version>2.9.1</version>
+    <version>2.9.1.2</version>
   </parent>
 
   <artifactId>jackson-bom</artifactId>
-  <version>2.9.4</version>
+  <version>2.9.8</version>
   <packaging>pom</packaging>
 
   <modules>
@@ -22,11 +22,11 @@
     <connection>scm:git:git@github.com:FasterXML/jackson-bom.git</connection>
     <developerConnection>scm:git:git@github.com:FasterXML/jackson-bom.git</developerConnection>
     <url>http://github.com/FasterXML/jackson-bom</url>
-    <tag>jackson-bom-2.9.4</tag>
+    <tag>jackson-bom-2.9.8</tag>
   </scm>
 
   <properties>
-    <jackson.version>2.9.4</jackson.version>
+    <jackson.version>2.9.8</jackson.version>
 
     <!-- 29-Jul-2017, tatu: With Jackson 2.x we will release full patch-level versions
            of annotations BUT they are all identical, content-wise. Because of this
@@ -47,6 +47,8 @@
     <jackson.version.module>${jackson.version}</jackson.version.module>
     <jackson.version.module.kotlin>${jackson.version.module}</jackson.version.module.kotlin>
     <jackson.version.module.scala>${jackson.version.module}</jackson.version.module.scala>
+    <!-- JPMS Library Updates-->
+    <javax.activation.version>1.2.0</javax.activation.version>
   </properties>
 
   <dependencyManagement>

debian/jackson-parent-2.9.1.pom → debian/jackson-parent-2.9.1.2.pom

@@ -5,12 +5,12 @@
   <parent>
    <groupId>com.fasterxml</groupId>
     <artifactId>oss-parent</artifactId>
-    <version>30</version>
+    <version>34</version>
   </parent>
 
   <groupId>com.fasterxml.jackson</groupId>
   <artifactId>jackson-parent</artifactId>
-  <version>2.9.1</version>
+  <version>2.9.1.2</version>
   <packaging>pom</packaging>
 
   <name>Jackson parent poms</name>
@@ -50,7 +50,7 @@
     <connection>scm:git:git@github.com:FasterXML/jackson-parent.git</connection>
     <developerConnection>scm:git:git@github.com:FasterXML/jackson-parent.git</developerConnection>
     <url>http://github.com/FasterXML/jackson-parent</url>
-    <tag>jackson-parent-2.9.1</tag>
+    <tag>jackson-parent-2.9.1.2</tag>
   </scm>
 
   <properties>
@@ -103,9 +103,6 @@
         <plugin>
          <groupId>org.apache.maven.plugins</groupId>
          <artifactId>maven-enforcer-plugin</artifactId>
-         <!-- 06-Sep-2017, tatu: Need this version for Java 9 builds
-           -->
-         <version>3.0.0-M1</version>
          <executions>
           <execution>
             <id>enforce-java</id>
@@ -123,6 +120,13 @@
                   <version>[3.0,)</version>
                   <message>[ERROR] The currently supported version of Maven is 3.0 or higher</message>
                 </requireMavenVersion>
+                <requirePluginVersions>
+                  <banLatest>true</banLatest>
+                  <banRelease>true</banRelease>
+                  <banSnapshots>true</banSnapshots>
+                  <phases>clean,deploy,site</phases>
+                  <message>[ERROR] Best Practice is to always define plugin versions!</message>
+                </requirePluginVersions>
               </rules>
             </configuration>
           </execution>

debian/oss-parent-31.pom → debian/oss-parent-34.pom

@@ -5,7 +5,7 @@
 
   <groupId>com.fasterxml</groupId>
   <artifactId>oss-parent</artifactId>
-  <version>31</version>
+  <version>34</version>
   <packaging>pom</packaging>
 
   <name>FasterXML.com parent pom</name>
@@ -38,7 +38,7 @@
     <connection>scm:git:git@github.com:FasterXML/oss-parent.git</connection>
     <developerConnection>scm:git:git@github.com:FasterXML/oss-parent.git</developerConnection>
     <url>http://github.com/FasterXML/oss-parent</url>
-    <tag>oss-parent-31</tag>
+    <tag>oss-parent-34</tag>
   </scm>
   <issueManagement>
     <system>GitHub Issue Management</system>
@@ -99,21 +99,41 @@
       -->
     <version.plugin.bundle>3.2.0</version.plugin.bundle>
 
-    <version.plugin.jar>2.5</version.plugin.jar>
-    <version.plugin.javadoc>2.9.1</version.plugin.javadoc>
+    <version.plugin.clean>2.6.1</version.plugin.clean>
+    <version.plugin.cobertura>2.7</version.plugin.cobertura>
 
-    <!-- 2.4.2 had issues in releasing non-snapshot versions -->
-    <version.plugin.release>2.5.3</version.plugin.release>
-    <version.plugin.replacer>1.5.3</version.plugin.replacer>
-    <version.plugin.shade>2.4.3</version.plugin.shade>
+    <!-- 05-Dec-2018, compiler plugin 3.7.0 -> 3.8.0 for v34
+      -->
+    <version.plugin.compiler>3.8.0</version.plugin.compiler>
+    <version.plugin.deploy>2.8.2</version.plugin.deploy>
+
+    <version.plugin.gpg>1.6</version.plugin.gpg>
 
-    <version.plugin.cobertura>2.7</version.plugin.cobertura>
     <!-- 08-Aug-2017, tatu: Enforcer plugin will not work with Java 9
           prior to 3.0.0
       -->
     <version.plugin.enforcer>3.0.0-M1</version.plugin.enforcer>
-    <version.plugin.surefire>2.17</version.plugin.surefire>
-    <version.plugin.compiler>3.2</version.plugin.compiler>
+
+    <version.plugin.install>2.5.2</version.plugin.install>
+    <version.plugin.jar>2.5</version.plugin.jar>
+
+    <!-- 3.0.0-M1 required for Java 9 -->
+    <version.plugin.javadoc>3.0.0-M1</version.plugin.javadoc>
+
+    <!-- 05-Dec-2018, new property for v34, for Java 9+ Modules support -->
+    <version.plugin.moditect>1.0.0.Beta1</version.plugin.moditect>
+
+    <version.plugin.release>2.5.3</version.plugin.release>
+    <version.plugin.replacer>1.5.3</version.plugin.replacer>
+    <version.plugin.resources>2.7</version.plugin.resources>
+    <version.plugin.shade>2.4.3</version.plugin.shade>
+    <version.plugin.site>3.1</version.plugin.site>
+
+    <!-- 2.2 has a bug, revert to 2.1.2 -->
+    <version.plugin.source>2.1.2</version.plugin.source>
+
+    <!-- 05-Dec-2018, 2.17 -> 2.22.0 -->
+    <version.plugin.surefire>2.22.0</version.plugin.surefire>
 
     <!-- other "well-known" lib versions -->
     <version.junit>4.12</version.junit>
@@ -145,34 +165,50 @@
         <plugin>
           <groupId>org.apache.maven.plugins</groupId>
           <artifactId>maven-clean-plugin</artifactId>
-          <version>2.5</version>
+          <version>${version.plugin.clean}</version>
         </plugin>
         <plugin>
           <groupId>org.apache.maven.plugins</groupId>
           <artifactId>maven-deploy-plugin</artifactId>
-          <version>2.7</version>
+          <version>${version.plugin.deploy}</version>
+        </plugin>
+        <plugin>
+          <groupId>org.apache.maven.plugins</groupId>
+          <artifactId>maven-gpg-plugin</artifactId>
+          <version>${version.plugin.gpg}</version>
         </plugin>
         <plugin>
           <groupId>org.apache.maven.plugins</groupId>
           <artifactId>maven-install-plugin</artifactId>
-          <!-- 09-Dec-2016, tatu: 'skip' added in 2.4 (latest now 2.5.2)
-            -->
-          <version>2.4</version>
+          <version>${version.plugin.install}</version>
         </plugin>
         <plugin>
           <groupId>org.apache.maven.plugins</groupId>
           <artifactId>maven-javadoc-plugin</artifactId>
 	  <version>${version.plugin.javadoc}</version>
         </plugin>
+        <!-- 05-Dec-2018, tatu: v34 adds "moditect" plug-in, for Java 9+ Module support -->
+        <plugin>
+          <groupId>org.moditect</groupId>
+          <artifactId>moditect-maven-plugin</artifactId>
+	  <version>${version.plugin.moditect}</version>
+        </plugin>
+
         <plugin>
+          <!-- 26-Mar-2018, tatu: This is a weird component; up to 1.4.1 has
+                  artifact `maven-replacer-plugin`; from 1.5 just `replacer`?!?!
+            -->
           <groupId>com.google.code.maven-replacer-plugin</groupId>
           <artifactId>replacer</artifactId>
+<!--
+          <artifactId>maven-replacer-plugin</artifactId>
+-->
           <version>${version.plugin.replacer}</version>
         </plugin>
         <plugin>
           <groupId>org.apache.maven.plugins</groupId>
           <artifactId>maven-resources-plugin</artifactId>
-          <version>2.6</version>
+          <version>${version.plugin.resources}</version>
         </plugin>
 
         <plugin>
@@ -183,7 +219,7 @@
         <plugin>
           <groupId>org.apache.maven.plugins</groupId>
           <artifactId>maven-site-plugin</artifactId>
-          <version>3.1</version>
+          <version>${version.plugin.site}</version>
         </plugin>
         <plugin>
           <groupId>org.codehaus.mojo</groupId>
@@ -292,6 +328,13 @@
                   <version>[3.0,)</version>
                   <message>[ERROR] The currently supported version of Maven is 3.0 or higher</message>
                 </requireMavenVersion>
+                <requirePluginVersions>
+                  <banLatest>true</banLatest>
+                  <banRelease>true</banRelease>
+                  <banSnapshots>true</banSnapshots>
+                  <phases>clean,deploy,site</phases>
+                  <message>[ERROR] Best Practice is to always define plugin versions!</message>
+                </requirePluginVersions>
               </rules>
             </configuration>
           </execution>
@@ -302,6 +345,16 @@
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-compiler-plugin</artifactId>
         <version>${version.plugin.compiler}</version>
+        <!-- 05-Dec-2018, tatu: Looks like override needed for some reason
+          (probably for Java 9+ Module support)
+        -->
+        <dependencies>
+          <dependency>
+            <groupId>org.ow2.asm</groupId>
+            <artifactId>asm</artifactId>
+            <version>7.0</version>
+          </dependency>
+        </dependencies>
         <configuration>
           <source>${javac.src.version}</source>
           <target>${javac.target.version}</target>
@@ -506,8 +559,7 @@
           <plugin>
             <groupId>org.apache.maven.plugins</groupId>
             <artifactId>maven-source-plugin</artifactId>
-            <!-- 2.2 has a bug, revert to 2.1.2 -->
-            <version>2.1.2</version>
+            <version>${version.plugin.source}</version>
             <executions>
               <execution>
                 <id>attach-sources</id>
@@ -562,7 +614,6 @@
           <plugin>
             <groupId>org.apache.maven.plugins</groupId>
             <artifactId>maven-gpg-plugin</artifactId>
-            <version>1.4</version>
             <executions>
               <execution>
                 <id>sign-artifacts</id>

debian/patches/junit.patch

@@ -9,11 +9,9 @@ disabling the tests)
  pom.xml | 8 ++++++++
  1 file changed, 8 insertions(+)
 
-diff --git a/pom.xml b/pom.xml
-index 5f3ca2c..ba6bc62 100644
 --- a/pom.xml
 +++ b/pom.xml
-@@ -45,6 +45,14 @@ com.fasterxml.jackson.core.*;version=${project.version}
+@@ -45,6 +45,15 @@
      <jdk.module.name>com.fasterxml.jackson.core</jdk.module.name>
    </properties>
  
@@ -21,10 +19,11 @@ index 5f3ca2c..ba6bc62 100644
 +    <dependency> <!-- all components use junit for testing -->
 +      <groupId>junit</groupId>
 +      <artifactId>junit</artifactId>
++      <version>4.x</version>
 +      <scope>test</scope>
 +    </dependency>
 +  </dependencies>
 +
-   <!-- parent provides junit dep, not repeated here -->
- 
-   <build>
+   <!-- Alas, need to include snapshot reference since otherwise can not find
+        snapshot of parent... -->
+   <repositories>

debian/patches/maven-enforcer.patch

@@ -7,11 +7,9 @@ Maven Enforcer requires at least one valid rule. See also junit.patch.
  pom.xml | 8 ++++++++
  1 file changed, 8 insertions(+)
 
-diff --git a/pom.xml b/pom.xml
-index ba6bc62..e65f760 100644
 --- a/pom.xml
 +++ b/pom.xml
-@@ -65,6 +65,14 @@ com.fasterxml.jackson.core.*;version=${project.version}
+@@ -75,6 +75,14 @@
              <id>enforce-properties</id>
  	        <phase>validate</phase>
              <goals><goal>enforce</goal></goals>

debian/patches/no-bundle.patch

@@ -7,14 +7,12 @@ Package FTBFS otherwise...
  pom.xml | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
-diff --git a/pom.xml b/pom.xml
-index a35faa0..5f3ca2c 100644
 --- a/pom.xml
 +++ b/pom.xml
 @@ -11,7 +11,7 @@
    <artifactId>jackson-core</artifactId>
    <name>Jackson-core</name>
-   <version>2.9.4</version>
+   <version>2.9.8</version>
 -  <packaging>bundle</packaging>
 +  <packaging>jar</packaging>
    <description>Core Jackson processing abstractions (aka Streaming API), implementation for JSON</description>

debian/rules

@@ -13,14 +13,14 @@ override_dh_auto_install:
 	dh_auto_install
 
 	# Install the parent poms (used by the other jackson packages)
-	mh_installpom -plibjackson2-core-java --keep-elements=build debian/oss-parent-31.pom
-	mh_installpom -plibjackson2-core-java --keep-elements=build debian/jackson-parent-2.9.1.pom
-	mh_installpom -plibjackson2-core-java --keep-elements=build debian/jackson-bom-2.9.4.pom
-	mh_installpom -plibjackson2-core-java --keep-elements=build debian/jackson-base-2.9.4.pom
+	mh_installpom -plibjackson2-core-java --keep-elements=build debian/oss-parent-34.pom
+	mh_installpom -plibjackson2-core-java --keep-elements=build debian/jackson-parent-2.9.1.2.pom
+	mh_installpom -plibjackson2-core-java --keep-elements=build debian/jackson-bom-2.9.8.pom
+	mh_installpom -plibjackson2-core-java --keep-elements=build debian/jackson-base-2.9.8.pom
 
 override_dh_auto_clean:
 	rm -f $(VERSION_FILE)
 	dh_auto_clean
 
 override_dh_installchangelogs:
-	dh_installchangelogs release-notes/VERSION
+	dh_installchangelogs release-notes/VERSION-2.x

pom.xml

@@ -4,13 +4,13 @@
     <groupId>com.fasterxml.jackson</groupId>
     <!-- For 2.9.2 and beyond, new parent pom; extends jackson-bom -->
     <artifactId>jackson-base</artifactId>
-    <version>2.9.4</version>
+    <version>2.9.8</version>
   </parent>
 
   <groupId>com.fasterxml.jackson.core</groupId>
   <artifactId>jackson-core</artifactId>
   <name>Jackson-core</name>
-  <version>2.9.4</version>
+  <version>2.9.8</version>
   <packaging>bundle</packaging>
   <description>Core Jackson processing abstractions (aka Streaming API), implementation for JSON</description>
   <inceptionYear>2008</inceptionYear>
@@ -20,7 +20,7 @@
     <connection>scm:git:git@github.com:FasterXML/jackson-core.git</connection>
     <developerConnection>scm:git:git@github.com:FasterXML/jackson-core.git</developerConnection>
     <url>http://github.com/FasterXML/jackson-core</url>    
-    <tag>jackson-core-2.9.4</tag>
+    <tag>jackson-core-2.9.8</tag>
   </scm>
 
   <properties>
@@ -45,7 +45,17 @@ com.fasterxml.jackson.core.*;version=${project.version}
     <jdk.module.name>com.fasterxml.jackson.core</jdk.module.name>
   </properties>
 
-  <!-- parent provides junit dep, not repeated here -->
+  <!-- Alas, need to include snapshot reference since otherwise can not find
+       snapshot of parent... -->
+  <repositories>
+    <repository>
+      <id>sonatype-nexus-snapshots</id>
+      <name>Sonatype Nexus Snapshots</name>
+      <url>https://oss.sonatype.org/content/repositories/snapshots</url>
+      <releases><enabled>false</enabled></releases>
+      <snapshots><enabled>true</enabled></snapshots>
+    </repository>
+  </repositories>
 
   <build>
     <plugins>
@@ -74,6 +84,11 @@ com.fasterxml.jackson.core.*;version=${project.version}
           <excludes>
             <exclude>**/failing/**/*.java</exclude>
           </excludes>
+<!-- 13-Apr-2018, tatu: for debugging [core#400]
+          <systemPropertyVariables>
+<com.fasterxml.jackson.core.util.BufferRecyclers.trackReusableBuffers>true</com.fasterxml.jackson.core.util.BufferRecyclers.trackReusableBuffers>
+          </systemPropertyVariables>
+-->
         </configuration>
       </plugin>
       <!-- settings are fine, but needed to trigger execution! -->

release-notes/CREDITS → release-notes/CREDITS-2.x

@@ -145,3 +145,14 @@ Rafal Foltynski (rfoltyns@github)
    (2.9.0)
   * Contributed#208: Make use of `_matchCount` in `FilteringParserDelegate`
    (2.9.0)
+
+Jeroen Borgers (jborgers@github)
+  * Reported, contributed impl for #400: Add mechanism for forcing `BufferRecycler` released
+   (to call on shutdown)
+  (2.9.6)
+
+Doug Roper (htmldoug@github)
+  * Suggested #463: Ensure that `skipChildren()` of non-blocking `JsonParser` will throw
+    exception if not enough input
+  (2.9.6)
+ 

release-notes/VERSION → release-notes/VERSION-2.x

@@ -14,7 +14,34 @@ JSON library.
 === Releases ===
 ------------------------------------------------------------------------
 
-2.9.4 (24-Jan-2017)
+2.9.8 (15-Dec-2018)
+
+#488: Fail earlier on coercions from "too big" `BigInteger` into
+  fixed-size types (`int`, `long`, `short`)
+- Improve exception message for missing Base64 padding (see databind#2183)
+
+2.9.7 (19-Sep-2018)
+
+#476: Problem with `BufferRecycler` via async parser (or when sharing parser
+ across threads)
+#477: Exception while decoding Base64 value with escaped `=` character
+#488: Fail earlier on coercions from "too big" `BigInteger` into
+  fixed-size types (`int`, `long`, `short`)
+
+2.9.6 (12-Jun-2018)
+
+#400: Add mechanism for forcing `BufferRecycler` released (to call on shutdown)
+ (contributed by Jeroen B)
+#460: Failing to link `ObjectCodec` with `JsonFactory` copy constructor
+#463: Ensure that `skipChildren()` of non-blocking `JsonParser` will throw
+   exception if not enough input
+  (requested by Doug R)
+
+2.9.5 (26-Mar-2018)
+
+No changes since 2.9.4
+
+2.9.4 (24-Jan-2018)
 
 #414: Base64 MIME variant does not ignore white space chars as per RFC2045
  (reported by tmoschou@github)
@@ -62,7 +89,7 @@ JSON library.
 #374: Minimal and DefaultPrettyPrinter with configurable separators 
  (contributed by Rafal F)
 
-2.8.11 (not yet released)
+2.8.11 (23-Dec-2017)
 
 #418: ArrayIndexOutOfBoundsException from UTF32Reader.read on invalid input
  (reported, contributed fix for by pfitzsimons-r7@github)
@@ -142,7 +169,23 @@ No changes since 2.8.0
   for `getCurrentToken()` and `getCurrentTokenId()`, respectively. Existing methods
   will likely be deprecated in 2.9.
 
-2.7.10 (not yet released)
+2.7.9.3:
+
+#1872: NullPointerException in SubTypeValidator.validateSubType when
+  validating Spring interface
+#1931: Two more c3p0 gadgets to exploit default typing issue
+
+2.7.9.2 (20-Dec-2017)
+
+#1607: `@JsonIdentityReference` not used when setup on class only
+#1628: Don't print to error stream about failure to load JDK 7 types
+#1680: Blacklist couple more types for deserialization
+#1737: Block more JDK types from polymorphic deserialization
+#1855: Blacklist for more serialization gadgets (dbcp/tomcat, spring)
+
+2.7.9.1 (18-Apr-2017)
+
+#1599: Jackson Deserializer security vulnerability
 
 2.7.9 (04-Feb-2017)
 

src/main/java/com/fasterxml/jackson/core/Base64Variant.java

@@ -593,7 +593,19 @@ public final class Base64Variant
     }
 
     protected void _reportBase64EOF() throws IllegalArgumentException {
-        throw new IllegalArgumentException("Unexpected end-of-String in base64 content");
+        throw new IllegalArgumentException(missingPaddingMessage());
     }
+
+    /**
+     * Helper method that will construct a message to use in exceptions for cases where input ends
+     * prematurely in place where padding would be expected.
+     *
+     * @since 2.10
+     */
+    public String missingPaddingMessage() {
+        return String.format("Unexpected end of base64-encoded String: base64 variant '%s' expects padding (one or more '%c' characters) at the end",
+                getName(), getPaddingChar());
+    }
+
 }
 

src/main/java/com/fasterxml/jackson/core/Base64Variants.java

@@ -68,9 +68,7 @@ public final class Base64Variants
         // Replace plus with hyphen, slash with underscore (and no padding)
         sb.setCharAt(sb.indexOf("+"), '-');
         sb.setCharAt(sb.indexOf("/"), '_');
-        /* And finally, let's not split lines either, wouldn't work too
-         * well with URLs
-         */
+        // And finally, let's not split lines either, wouldn't work too well with URLs
         MODIFIED_FOR_URL = new Base64Variant("MODIFIED-FOR-URL", sb.toString(), false, Base64Variant.PADDING_CHAR_NONE, Integer.MAX_VALUE);
     }
 

src/main/java/com/fasterxml/jackson/core/JsonFactory.java

@@ -286,7 +286,7 @@ public class JsonFactory
      */
     protected JsonFactory(JsonFactory src, ObjectCodec codec)
     {
-        _objectCodec = null;
+        _objectCodec = codec;
         _factoryFeatures = src._factoryFeatures;
         _parserFeatures = src._parserFeatures;
         _generatorFeatures = src._generatorFeatures;
@@ -960,7 +960,7 @@ public class JsonFactory
         // 17-May-2017, tatu: Need to take care not to accidentally create JSON parser
         //   for non-JSON input:
         _requireJSONFactory("Non-blocking source not (yet?) support for this format (%s)");
-        IOContext ctxt = _createContext(null, false);
+        IOContext ctxt = _createNonBlockingContext(null);
         ByteQuadsCanonicalizer can = _byteSymbolCanonicalizer.makeChild(_factoryFeatures);
         return new NonBlockingJsonParser(ctxt, _parserFeatures, can);
     }
@@ -1548,6 +1548,19 @@ public class JsonFactory
         return new IOContext(_getBufferRecycler(), srcRef, resourceManaged);
     }
 
+    /**
+     * Overridable factory method that actually instantiates desired
+     * context object for async (non-blocking) parsing
+     *
+     * @since 2.9.7
+     */
+    protected IOContext _createNonBlockingContext(Object srcRef) {
+        // [jackson-core#476]: disable buffer recycling for 2.9 to avoid concurrency issues;
+        // easiest done by just constructing private "recycler":
+        BufferRecycler recycler = new BufferRecycler();
+        return new IOContext(recycler, srcRef, false);
+    }
+
     /**
      * @since 2.8
      */

src/main/java/com/fasterxml/jackson/core/base/ParserBase.java

@@ -823,7 +823,7 @@ public abstract class ParserBase extends ParserMinimalBase
             }
         } catch (NumberFormatException nex) {
             // Can this ever occur? Due to overflow, maybe?
-            _wrapError("Malformed numeric value '"+_textBuffer.contentsAsString()+"'", nex);
+            _wrapError("Malformed numeric value ("+_longNumberDesc(_textBuffer.contentsAsString())+")", nex);
         }
     }
 
@@ -842,15 +842,32 @@ public abstract class ParserBase extends ParserMinimalBase
                 // Probably faster to construct a String, call parse, than to use BigInteger
                 _numberLong = Long.parseLong(numStr);
                 _numTypesValid = NR_LONG;
+            } else {
+                // 16-Oct-2018, tatu: Need to catch "too big" early due to [jackson-core#488]
+                if ((expType == NR_INT) || (expType == NR_LONG)) {
+                    _reportTooLongInt(expType, numStr);
+                }
+                if ((expType == NR_DOUBLE) || (expType == NR_FLOAT)) {
+                    _numberDouble = NumberInput.parseDouble(numStr);
+                    _numTypesValid = NR_DOUBLE;
                 } else {
                     // nope, need the heavy guns... (rare case)
                     _numberBigInt = new BigInteger(numStr);
                     _numTypesValid = NR_BIGINT;
                 }
+            }
         } catch (NumberFormatException nex) {
             // Can this ever occur? Due to overflow, maybe?
-            _wrapError("Malformed numeric value '"+numStr+"'", nex);
+            _wrapError("Malformed numeric value ("+_longNumberDesc(numStr)+")", nex);
+        }
     }
+
+    // @since 2.9.8
+    protected void _reportTooLongInt(int expType, String rawNum) throws IOException
+    {
+        final String numDesc = _longIntegerDesc(rawNum);
+        _reportError("Numeric value (%s) out of range of %s", numDesc,
+                (expType == NR_LONG) ? "long" : "int");
     }
 
     /*
@@ -1029,8 +1046,10 @@ public abstract class ParserBase extends ParserMinimalBase
         // otherwise try to find actual triplet value
         int bits = b64variant.decodeBase64Char(unescaped);
         if (bits < 0) {
+            if (bits != Base64Variant.BASE64_VALUE_PADDING) {
                 throw reportInvalidBase64Char(b64variant, unescaped, index);
             }
+        }
         return bits;
     }
     
@@ -1049,8 +1068,11 @@ public abstract class ParserBase extends ParserMinimalBase
         // otherwise try to find actual triplet value
         int bits = b64variant.decodeBase64Char(unescaped);
         if (bits < 0) {
+            // second check since padding can only be 3rd or 4th byte (index #2 or #3)
+            if ((bits != Base64Variant.BASE64_VALUE_PADDING) || (index < 2)) {
                 throw reportInvalidBase64Char(b64variant, unescaped, index);
             }
+        }
         return bits;
     }
     
@@ -1081,6 +1103,12 @@ public abstract class ParserBase extends ParserMinimalBase
         return new IllegalArgumentException(base);
     }
 
+    // since 2.9.8
+    protected void _handleBase64MissingPadding(Base64Variant b64variant) throws IOException
+    {
+        _reportError(b64variant.missingPaddingMessage());
+    }
+
     /*
     /**********************************************************
     /* Internal/package methods: other

src/main/java/com/fasterxml/jackson/core/base/ParserMinimalBase.java

@@ -249,6 +249,12 @@ public abstract class ParserMinimalBase extends JsonParser
                 if (--open == 0) {
                     return this;
                 }
+                // 23-May-2018, tatu: [core#463] Need to consider non-blocking case...
+            } else if (t == JsonToken.NOT_AVAILABLE) {
+                // Nothing much we can do except to either return `null` (which seems wrong),
+                // or, what we actually do, signal error
+                _reportError("Not enough content available for `skipChildren()`: non-blocking parser? (%s)",
+                            getClass().getName());
             }
         }
     }
@@ -541,12 +547,36 @@ public abstract class ParserMinimalBase extends JsonParser
 
     protected void reportOverflowInt() throws IOException {
         _reportError(String.format("Numeric value (%s) out of range of int (%d - %s)",
-                getText(), Integer.MIN_VALUE, Integer.MAX_VALUE));
+                _longIntegerDesc(getText()), Integer.MIN_VALUE, Integer.MAX_VALUE));
     }
 
     protected void reportOverflowLong() throws IOException {
         _reportError(String.format("Numeric value (%s) out of range of long (%d - %s)",
-                getText(), Long.MIN_VALUE, Long.MAX_VALUE));
+                _longIntegerDesc(getText()), Long.MIN_VALUE, Long.MAX_VALUE));
+    }
+
+    // @since 2.9.8
+    protected String _longIntegerDesc(String rawNum) {
+        int rawLen = rawNum.length();
+        if (rawLen < 1000) {
+            return rawNum;
+        }
+        if (rawNum.startsWith("-")) {
+            rawLen -= 1;
+        }
+        return String.format("[Integer with %d digits]", rawLen);
+    }
+
+    // @since 2.9.8
+    protected String _longNumberDesc(String rawNum) {
+        int rawLen = rawNum.length();
+        if (rawLen < 1000) {
+            return rawNum;
+        }
+        if (rawNum.startsWith("-")) {
+            rawLen -= 1;
+        }
+        return String.format("[number with %d characters]", rawLen);
     }
 
     protected void _reportUnexpectedChar(int ch, String comment) throws JsonParseException

src/main/java/com/fasterxml/jackson/core/json/ReaderBasedJsonParser.java

@@ -549,9 +549,13 @@ public class ReaderBasedJsonParser // final in 2.3, earlier
             if (bits < 0) {
                 if (bits != Base64Variant.BASE64_VALUE_PADDING) {
                     // as per [JACKSON-631], could also just be 'missing'  padding
-                    if (ch == '"' && !b64variant.usesPadding()) {
+                    if (ch == '"') {
                         decodedData >>= 4;
                         buffer[outputPtr++] = (byte) decodedData;
+                        if (b64variant.usesPadding()) {
+                            --_inputPtr; // to keep parser state bit more consistent
+                            _handleBase64MissingPadding(b64variant);
+                        }
                         break;
                     }
                     bits = _decodeBase64Escape(b64variant, ch, 2);
@@ -563,8 +567,10 @@ public class ReaderBasedJsonParser // final in 2.3, earlier
                     }
                     ch = _inputBuffer[_inputPtr++];
                     if (!b64variant.usesPaddingChar(ch)) {
+                        if (_decodeBase64Escape(b64variant, ch, 3) != Base64Variant.BASE64_VALUE_PADDING) {
                             throw reportInvalidBase64Char(b64variant, ch, 3, "expected padding character '"+b64variant.getPaddingChar()+"'");
                         }
+                    }
                     // Got 12 bits, only need 8, need to shift
                     decodedData >>= 4;
                     buffer[outputPtr++] = (byte) decodedData;
@@ -582,10 +588,14 @@ public class ReaderBasedJsonParser // final in 2.3, earlier
             if (bits < 0) {
                 if (bits != Base64Variant.BASE64_VALUE_PADDING) {
                     // as per [JACKSON-631], could also just be 'missing'  padding
-                    if (ch == '"' && !b64variant.usesPadding()) {
+                    if (ch == '"') {
                         decodedData >>= 2;
                         buffer[outputPtr++] = (byte) (decodedData >> 8);
                         buffer[outputPtr++] = (byte) decodedData;
+                        if (b64variant.usesPadding()) {
+                            --_inputPtr; // to keep parser state bit more consistent
+                            _handleBase64MissingPadding(b64variant);
+                        }
                         break;
                     }
                     bits = _decodeBase64Escape(b64variant, ch, 3);
@@ -2008,9 +2018,7 @@ public class ReaderBasedJsonParser // final in 2.3, earlier
             } while (ptr < inputLen);
         }
 
-        /* Either ran out of input, or bumped into an escape
-         * sequence...
-         */
+        // Either ran out of input, or bumped into an escape sequence...
         _textBuffer.resetWithCopy(_inputBuffer, _inputPtr, (ptr-_inputPtr));
         _inputPtr = ptr;
         _finishString2();
@@ -2700,9 +2708,13 @@ public class ReaderBasedJsonParser // final in 2.3, earlier
             if (bits < 0) {
                 if (bits != Base64Variant.BASE64_VALUE_PADDING) {
                     // as per [JACKSON-631], could also just be 'missing'  padding
-                    if (ch == '"' && !b64variant.usesPadding()) {
+                    if (ch == '"') {
                         decodedData >>= 4;
                         builder.append(decodedData);
+                        if (b64variant.usesPadding()) {
+                            --_inputPtr; // to keep parser state bit more consistent
+                            _handleBase64MissingPadding(b64variant);
+                        }
                         return builder.toByteArray();
                     }
                     bits = _decodeBase64Escape(b64variant, ch, 2);
@@ -2714,8 +2726,10 @@ public class ReaderBasedJsonParser // final in 2.3, earlier
                     }
                     ch = _inputBuffer[_inputPtr++];
                     if (!b64variant.usesPaddingChar(ch)) {
+                        if (_decodeBase64Escape(b64variant, ch, 3) != Base64Variant.BASE64_VALUE_PADDING) {
                             throw reportInvalidBase64Char(b64variant, ch, 3, "expected padding character '"+b64variant.getPaddingChar()+"'");
                         }
+                    }
                     // Got 12 bits, only need 8, need to shift
                     decodedData >>= 4;
                     builder.append(decodedData);
@@ -2734,9 +2748,13 @@ public class ReaderBasedJsonParser // final in 2.3, earlier
             if (bits < 0) {
                 if (bits != Base64Variant.BASE64_VALUE_PADDING) {
                     // as per [JACKSON-631], could also just be 'missing'  padding
-                    if (ch == '"' && !b64variant.usesPadding()) {
+                    if (ch == '"') {
                         decodedData >>= 2;
                         builder.appendTwoBytes(decodedData);
+                        if (b64variant.usesPadding()) {
+                            --_inputPtr; // to keep parser state bit more consistent
+                            _handleBase64MissingPadding(b64variant);
+                        }
                         return builder.toByteArray();
                     }
                     bits = _decodeBase64Escape(b64variant, ch, 3);

src/main/java/com/fasterxml/jackson/core/json/UTF8DataInputJsonParser.java

@@ -481,9 +481,12 @@ public class UTF8DataInputJsonParser
             if (bits < 0) {
                 if (bits != Base64Variant.BASE64_VALUE_PADDING) {
                     // could also just be 'missing'  padding
-                    if (ch == '"' && !b64variant.usesPadding()) {
+                    if (ch == INT_QUOTE) {
                         decodedData >>= 4;
                         buffer[outputPtr++] = (byte) decodedData;
+                        if (b64variant.usesPadding()) {
+                            _handleBase64MissingPadding(b64variant);
+                        }
                         break;
                     }
                     bits = _decodeBase64Escape(b64variant, ch, 2);
@@ -492,8 +495,11 @@ public class UTF8DataInputJsonParser
                     // Ok, must get padding
                     ch = _inputData.readUnsignedByte();
                     if (!b64variant.usesPaddingChar(ch)) {
+                        if ((ch != INT_BACKSLASH)
+                                || _decodeBase64Escape(b64variant, ch, 3) != Base64Variant.BASE64_VALUE_PADDING) {
                             throw reportInvalidBase64Char(b64variant, ch, 3, "expected padding character '"+b64variant.getPaddingChar()+"'");
                         }
+                    }
                     // Got 12 bits, only need 8, need to shift
                     decodedData >>= 4;
                     buffer[outputPtr++] = (byte) decodedData;
@@ -508,10 +514,13 @@ public class UTF8DataInputJsonParser
             if (bits < 0) {
                 if (bits != Base64Variant.BASE64_VALUE_PADDING) {
                     // could also just be 'missing'  padding
-                    if (ch == '"' && !b64variant.usesPadding()) {
+                    if (ch == INT_QUOTE) {
                         decodedData >>= 2;
                         buffer[outputPtr++] = (byte) (decodedData >> 8);
                         buffer[outputPtr++] = (byte) decodedData;
+                        if (b64variant.usesPadding()) {
+                            _handleBase64MissingPadding(b64variant);
+                        }
                         break;
                     }
                     bits = _decodeBase64Escape(b64variant, ch, 3);
@@ -2753,9 +2762,12 @@ public class UTF8DataInputJsonParser
             if (bits < 0) {
                 if (bits != Base64Variant.BASE64_VALUE_PADDING) {
                     // could also just be 'missing'  padding
-                    if (ch == '"' && !b64variant.usesPadding()) {
+                    if (ch == INT_QUOTE) {
                         decodedData >>= 4;
                         builder.append(decodedData);
+                        if (b64variant.usesPadding()) {
+                            _handleBase64MissingPadding(b64variant);
+                        }
                         return builder.toByteArray();
                     }
                     bits = _decodeBase64Escape(b64variant, ch, 2);
@@ -2763,8 +2775,11 @@ public class UTF8DataInputJsonParser
                 if (bits == Base64Variant.BASE64_VALUE_PADDING) {
                     ch = _inputData.readUnsignedByte();
                     if (!b64variant.usesPaddingChar(ch)) {
+                        if ((ch != INT_BACKSLASH)
+                                || _decodeBase64Escape(b64variant, ch, 3) != Base64Variant.BASE64_VALUE_PADDING) {
                             throw reportInvalidBase64Char(b64variant, ch, 3, "expected padding character '"+b64variant.getPaddingChar()+"'");
                         }
+                    }
                     // Got 12 bits, only need 8, need to shift
                     decodedData >>= 4;
                     builder.append(decodedData);
@@ -2779,9 +2794,12 @@ public class UTF8DataInputJsonParser
             if (bits < 0) {
                 if (bits != Base64Variant.BASE64_VALUE_PADDING) {
                     // could also just be 'missing'  padding
-                    if (ch == '"' && !b64variant.usesPadding()) {
+                    if (ch == INT_QUOTE) {
                         decodedData >>= 2;
                         builder.appendTwoBytes(decodedData);
+                        if (b64variant.usesPadding()) {
+                            _handleBase64MissingPadding(b64variant);
+                        }
                         return builder.toByteArray();
                     }
                     bits = _decodeBase64Escape(b64variant, ch, 3);