From ff4314ccdfec88e4e8ce0cdb140ac6a3645fc2e8 Mon Sep 17 00:00:00 2001 From: Tomasz Kanafa Date: Tue, 20 Apr 2021 10:35:20 +0200 Subject: [PATCH] MNSTR-5023 backport security fix from jackson2 - Block one more gadget type (Anteros-DBCP, CVE-2020-24616) Merged from FasterXML/jackson-databind#2814 --- release-notes/VERSION | 3 ++- .../codehaus/jackson/map/jsontype/impl/SubTypeValidator.java | 4 +++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/release-notes/VERSION b/release-notes/VERSION index 4ed1dd9d0..40c4e3d05 100644 --- a/release-notes/VERSION +++ b/release-notes/VERSION @@ -68,7 +68,8 @@ One more patch release for 1.9. * [databind#2469]: Block one more gadget type (xalan2, might be related to CVE-2019-14893) * [databind#2704]: Block one more gadget type (xalan2, CVE-2020-14062) * [databind#2765]: Block one more gadget type (org.jsecurity, CVE-2020-14195) -* [databind#2798]: Block one more gadget type (CVE-2020-24750) +* [databind#2798]: Block one more gadget type (com.pastdev.httpcomponents, CVE-2020-24750) +* [databind#2814]: Block one more gadget type (Anteros-DBCP, CVE-2020-24616) 1.9.13 (14-Jul-2013) diff --git a/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java index ffec2aac5..06aa1451a 100644 --- a/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java +++ b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java @@ -127,9 +127,11 @@ public class SubTypeValidator // [databind#2631]: shaded hikari-config s.add("org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig"); - // [databind#2634]: ibatis-sqlmap, anteros-core + // [databind#2634]: ibatis-sqlmap, anteros-core/-dbcp s.add("com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig"); s.add("br.com.anteros.dbcp.AnterosDBCPConfig"); + // [databind#2814]: anteros-dbcp + s.add("br.com.anteros.dbcp.AnterosDBCPDataSource"); // [databind#2642]: javax.swing (jdk) s.add("javax.swing.JEditorPane");