Skip to content
Commits on Source (5)
jackson-databind (2.10.0-2) unstable; urgency=high
* Fix CVE-2019-16942 and CVE-2019-16943.
Block two more gadget types (commons-dbcp, p6spy). (Closes: #941530)
-- Markus Koschany <apo@debian.org> Thu, 03 Oct 2019 15:48:58 +0200
jackson-databind (2.10.0-1) unstable; urgency=medium
* Team upload.
......
From: Markus Koschany <apo@debian.org>
Date: Thu, 3 Oct 2019 15:56:30 +0200
Subject: CVE-2019-16942 and CVE-2019-16943
Forwarded: not-needed
---
.../fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
index e54149e..4215b4e 100644
--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -112,6 +112,10 @@ public class SubTypeValidator
// [databind#2469]: xalan2
s.add("org.apache.xalan.lib.sql.JNDIConnectionPool");
+ // [databind#2478]: comons-dbcp, p6spy
+ s.add("org.apache.commons.dbcp.datasources.SharedPoolDataSource");
+ s.add("com.p6spy.engine.spy.P6DataSource");
+
DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
}
......@@ -11,7 +11,7 @@ Forwarded: not-needed
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/pom.xml b/pom.xml
index b031f65..c6660ac 100644
index 95fdb10..4ee8e91 100644
--- a/pom.xml
+++ b/pom.xml
@@ -5,7 +5,7 @@
......
base-pom.patch
CVE-2019-16942-and-CVE-2019-16943.patch