From f5bc93f20bc09198482f5690768c1f438fa17219 Mon Sep 17 00:00:00 2001
From: Mat Booth <mat.booth@redhat.com>
Date: Mon, 22 Jan 2018 15:33:59 +0000
Subject: [PATCH] Update to latest upstream release

---
 .gitignore                                    | 12 +--
 CVE-2017-15095.patch                          | 33 -------
 CVE-2017-17485-2.patch                        | 41 ---------
 ...2017-17485-1.patch => CVE-2017-17485.patch | 68 +++++++++-----
 CVE-2017-7525.patch                           | 92 -------------------
 CVE-2018-5968.patch                           | 24 +++++
 jackson-databind.spec                         | 47 +++++-----
 sources                                       |  2 +-
 8 files changed, 96 insertions(+), 223 deletions(-)
 delete mode 100644 CVE-2017-15095.patch
 delete mode 100644 CVE-2017-17485-2.patch
 rename CVE-2017-17485-1.patch => CVE-2017-17485.patch (81%)
 delete mode 100644 CVE-2017-7525.patch
 create mode 100644 CVE-2018-5968.patch

diff --git a/.gitignore b/.gitignore
index bdf2d3a..0534e2d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,10 +1,2 @@
-/jackson-databind-2.2.2.tar.gz
-/jackson-databind-2.4.1.1.tar.gz
-/jackson-databind-2.4.1.3.tar.gz
-/jackson-databind-2.4.2.tar.gz
-/jackson-databind-2.5.0.tar.gz
-/jackson-databind-2.6.2.tar.gz
-/jackson-databind-2.6.3.tar.gz
-/jackson-databind-2.6.6.tar.gz
-/jackson-databind-2.6.7.tar.gz
-/jackson-databind-2.7.6.tar.gz
+/jackson-databind-*.tar.gz
+/*.src.rpm
diff --git a/CVE-2017-15095.patch b/CVE-2017-15095.patch
deleted file mode 100644
index 1f06b1c..0000000
--- a/CVE-2017-15095.patch
+++ /dev/null
@@ -1,33 +0,0 @@
---- src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java.orig	2017-11-01 09:57:37.083991374 +0000
-+++ src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java	2017-11-01 10:00:58.032279501 +0000
-@@ -48,16 +48,29 @@
-     static {
-         Set<String> s = new HashSet<String>();
-         // Courtesy of [https://github.com/kantega/notsoserial]:
--        // (and wrt [databind#1599]
-+        // (and wrt [databind#1599])
-         s.add("org.apache.commons.collections.functors.InvokerTransformer");
-         s.add("org.apache.commons.collections.functors.InstantiateTransformer");
-         s.add("org.apache.commons.collections4.functors.InvokerTransformer");
-         s.add("org.apache.commons.collections4.functors.InstantiateTransformer");
-+        // 05-Aug-2017, tatu: as per [https://github.com/mbechler/marshalsec/blob/master/marshalsec.pdf]
-+        //    this is NOT likely to  be exploitable via Jackson. But keep excluded just in case.
-         s.add("org.codehaus.groovy.runtime.ConvertedClosure");
-         s.add("org.codehaus.groovy.runtime.MethodClosure");
-         s.add("org.springframework.beans.factory.ObjectFactory");
-         s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
-         s.add("org.apache.xalan.xsltc.trax.TemplatesImpl");
-+        // [databind#1680]: may or may not be problem, take no chance
-+        s.add("com.sun.rowset.JdbcRowSetImpl");
-+        // [databind#1737]; JDK provided
-+        s.add("java.util.logging.FileHandler");
-+        s.add("java.rmi.server.UnicastRemoteObject");
-+        // [databind#1737]; 3rd party
-+        s.add("org.springframework.aop.support.AbstractBeanFactoryPointcutAdvisor");
-+        s.add("org.springframework.beans.factory.config.PropertyPathFactoryBean");
-+        s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
-+        s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
-+
-         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
-     }
- 
diff --git a/CVE-2017-17485-2.patch b/CVE-2017-17485-2.patch
deleted file mode 100644
index 2a028e4..0000000
--- a/CVE-2017-17485-2.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From bb45fb16709018842f858f1a6e1118676aaa34bd Mon Sep 17 00:00:00 2001
-From: Tatu Saloranta <tatu.saloranta@iki.fi>
-Date: Tue, 19 Dec 2017 08:31:15 -0800
-Subject: [PATCH] Fix issues with earlier fix for #1855
-
----
- .../jackson/databind/jsontype/impl/SubTypeValidator.java         | 5 +++--
- .../jackson/databind/interop/IllegalTypesCheckTest.java          | 7 +++++++
- .../springframework/jacksontest/AbstractApplicationContext.java  | 5 +++++
- .../org/springframework/jacksontest/AbstractPointcutAdvisor.java | 5 +++++
- .../org/springframework/jacksontest/BogusApplicationContext.java | 9 +++++++++
- .../org/springframework/jacksontest/BogusPointcutAdvisor.java    | 9 +++++++++
- 6 files changed, 38 insertions(+), 2 deletions(-)
- create mode 100644 src/test/java/org/springframework/jacksontest/AbstractApplicationContext.java
- create mode 100644 src/test/java/org/springframework/jacksontest/AbstractPointcutAdvisor.java
- create mode 100644 src/test/java/org/springframework/jacksontest/BogusApplicationContext.java
- create mode 100644 src/test/java/org/springframework/jacksontest/BogusPointcutAdvisor.java
-
-diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
-index 8a273cc15..45a76169f 100644
---- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
-+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
-@@ -71,6 +71,7 @@ public void validateSubType(DeserializationContext ctxt, JavaType type) throws J
-         final Class<?> raw = type.getRawClass();
-         String full = raw.getName();
- 
-+        main_check:
-         do {
-             if (_cfgIllegalClassNames.contains(full)) {
-                 break;
-@@ -84,8 +85,8 @@ public void validateSubType(DeserializationContext ctxt, JavaType type) throws J
-                     // looking for "AbstractBeanFactoryPointcutAdvisor" but no point to allow any is there?
-                     if ("AbstractPointcutAdvisor".equals(name)
-                             // ditto  for "FileSystemXmlApplicationContext": block all ApplicationContexts
--                            || "AbstractApplicationContext.equals".equals(name)) {
--                        break;
-+                            || "AbstractApplicationContext".equals(name)) {
-+                        break main_check;
-                     }
-                 }
-             }
diff --git a/CVE-2017-17485-1.patch b/CVE-2017-17485.patch
similarity index 81%
rename from CVE-2017-17485-1.patch
rename to CVE-2017-17485.patch
index 836366f..caee2e3 100644
--- a/CVE-2017-17485-1.patch
+++ b/CVE-2017-17485.patch
@@ -13,25 +13,27 @@ diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializer
 index 217ffd9c6..b462c0c74 100644
 --- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
 +++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
-@@ -12,6 +12,7 @@
- import com.fasterxml.jackson.databind.deser.std.ThrowableDeserializer;
+@@ -11,6 +11,7 @@
+ import com.fasterxml.jackson.databind.exc.InvalidDefinitionException;
  import com.fasterxml.jackson.databind.introspect.*;
  import com.fasterxml.jackson.databind.jsontype.TypeDeserializer;
 +import com.fasterxml.jackson.databind.jsontype.impl.SubTypeValidator;
- import com.fasterxml.jackson.databind.util.ArrayBuilders;
  import com.fasterxml.jackson.databind.util.ClassUtil;
  import com.fasterxml.jackson.databind.util.SimpleBeanPropertyDefinition;
-@@ -40,44 +41,6 @@
  
-     private final static Class<?>[] NO_VIEWS = new Class<?>[0];
+@@ -36,49 +37,6 @@
+      */
+     private final static Class<?>[] INIT_CAUSE_PARAMS = new Class<?>[] { Throwable.class };
  
 -    /**
 -     * Set of well-known "nasty classes", deserialization of which is considered dangerous
 -     * and should (and is) prevented by default.
+-     *
+-     * @since 2.8.9
 -     */
 -    protected final static Set<String> DEFAULT_NO_DESER_CLASS_NAMES;
 -    static {
--        Set<String> s = new HashSet<String>();
+-        Set<String> s = new HashSet<>();
 -        // Courtesy of [https://github.com/kantega/notsoserial]:
 -        // (and wrt [databind#1599])
 -        s.add("org.apache.commons.collections.functors.InvokerTransformer");
@@ -61,12 +63,28 @@ index 217ffd9c6..b462c0c74 100644
 -
 -    /**
 -     * Set of class names of types that are never to be deserialized.
+-     *
+-     * @since 2.8.9
 -     */
 -    protected Set<String> _cfgIllegalClassNames = DEFAULT_NO_DESER_CLASS_NAMES;
- 
+-
      /*
      /**********************************************************
-@@ -179,7 +142,7 @@ public DeserializerFactory withConfig(DeserializerFactoryConfig config)
+     /* Life-cycle
+@@ -146,9 +104,9 @@
+         if (type.isThrowable()) {
+             return buildThrowableDeserializer(ctxt, type, beanDesc);
+         }
+-        /* Or, for abstract types, may have alternate means for resolution
+-         * (defaulting, materialization)
+-         */
++        // Or, for abstract types, may have alternate means for resolution
++        // (defaulting, materialization)
++
+         // 29-Nov-2015, tatu: Also, filter out calls to primitive types, they are
+         //    not something we could materialize anything for
+         if (type.isAbstract() && !type.isPrimitive() && !type.isEnumType()) {
+@@ -174,7 +132,7 @@
              return null;
          }
          // For checks like [databind#1599]
@@ -75,10 +93,13 @@ index 217ffd9c6..b462c0c74 100644
          // Use generic bean introspection to build deserializer
          return buildBeanDeserializer(ctxt, type, beanDesc);
      }
-@@ -868,17 +831,10 @@
-         return (status == null) ? false : status.booleanValue(); 
+@@ -949,19 +907,12 @@
      }
  
+     /**
+-     * @since 2.8.9
++     * @since 2.8.11
+      */
 -    protected void checkIllegalTypes(DeserializationContext ctxt, JavaType type,
 +    protected void _validateSubType(DeserializationContext ctxt, JavaType type,
              BeanDescription beanDesc)
@@ -89,10 +110,10 @@ index 217ffd9c6..b462c0c74 100644
 -        String full = type.getRawClass().getName();
 -
 -        if (_cfgIllegalClassNames.contains(full)) {
--            throw JsonMappingException.from(ctxt,
--                    String.format("Illegal type (%s) to deserialize: prevented for security reasons", full));
+-            ctxt.reportBadTypeDefinition(beanDesc,
+-                    "Illegal type (%s) to deserialize: prevented for security reasons", full);
 -        }
-+        SubTypeValidator.instance().validateSubType(ctxt, type);
++        SubTypeValidator.instance().validateSubType(ctxt, type, beanDesc);
      }
  }
 diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -100,13 +121,14 @@ new file mode 100644
 index 000000000..8a273cc15
 --- /dev/null
 +++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
-@@ -0,0 +1,98 @@
+@@ -0,0 +1,103 @@
 +package com.fasterxml.jackson.databind.jsontype.impl;
 +
 +import java.util.Collections;
 +import java.util.HashSet;
 +import java.util.Set;
 +
++import com.fasterxml.jackson.databind.BeanDescription;
 +import com.fasterxml.jackson.databind.DeserializationContext;
 +import com.fasterxml.jackson.databind.JavaType;
 +import com.fasterxml.jackson.databind.JsonMappingException;
@@ -153,6 +175,7 @@ index 000000000..8a273cc15
 +        // [databind#1855]: more 3rd party
 +        s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");
 +        s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");
++
 +        DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
 +    }
 +
@@ -167,13 +190,15 @@ index 000000000..8a273cc15
 +
 +    public static SubTypeValidator instance() { return instance; }
 +
-+    public void validateSubType(DeserializationContext ctxt, JavaType type) throws JsonMappingException
++    public void validateSubType(DeserializationContext ctxt, JavaType type,
++            BeanDescription beanDesc) throws JsonMappingException
 +    {
 +        // There are certain nasty classes that could cause problems, mostly
 +        // via default typing -- catch them here.
 +        final Class<?> raw = type.getRawClass();
 +        String full = raw.getName();
 +
++        main_check:
 +        do {
 +            if (_cfgIllegalClassNames.contains(full)) {
 +                break;
@@ -181,21 +206,22 @@ index 000000000..8a273cc15
 +
 +            // 18-Dec-2017, tatu: As per [databind#1855], need bit more sophisticated handling
 +            //    for some Spring framework types
-+            if (full.startsWith(PREFIX_STRING)) {
-+                for (Class<?> cls = raw; cls != Object.class; cls = cls.getSuperclass()) {
++            // 05-Jan-2017, tatu: ... also, only applies to classes, not interfaces
++            if (!raw.isInterface() && full.startsWith(PREFIX_STRING)) {
++                for (Class<?> cls = raw; (cls != null) && (cls != Object.class); cls = cls.getSuperclass()) {
 +                    String name = cls.getSimpleName();
 +                    // looking for "AbstractBeanFactoryPointcutAdvisor" but no point to allow any is there?
 +                    if ("AbstractPointcutAdvisor".equals(name)
 +                            // ditto  for "FileSystemXmlApplicationContext": block all ApplicationContexts
-+                            || "AbstractApplicationContext.equals".equals(name)) {
-+                        break;
++                            || "AbstractApplicationContext".equals(name)) {
++                        break main_check;
 +                    }
 +                }
 +            }
 +            return;
 +        } while (false);
 +
-+        throw JsonMappingException.from(ctxt,
-+                String.format("Illegal type (%s) to deserialize: prevented for security reasons", full));
++        ctxt.reportBadTypeDefinition(beanDesc,
++                "Illegal type (%s) to deserialize: prevented for security reasons", full);
 +    }
 +}
diff --git a/CVE-2017-7525.patch b/CVE-2017-7525.patch
deleted file mode 100644
index 4eb2fed..0000000
--- a/CVE-2017-7525.patch
+++ /dev/null
@@ -1,92 +0,0 @@
---- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java	2016-07-23 03:36:51.000000000 +0100
-+++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java	2017-07-20 15:42:39.836790820 +0100
-@@ -139,6 +139,8 @@
-         if (!isPotentialBeanType(type.getRawClass())) {
-             return null;
-         }
-+        // For checks like [databind#1599]
-+        checkIllegalTypes(ctxt, type, beanDesc);
-         // Use generic bean introspection to build deserializer
-         return buildBeanDeserializer(ctxt, type, beanDesc);
-     }
-@@ -826,4 +828,22 @@
-         // We default to 'false', i.e. not ignorable
-         return (status == null) ? false : status.booleanValue(); 
-     }
-+
-+    protected void checkIllegalTypes(DeserializationContext ctxt, JavaType type,
-+            BeanDescription beanDesc)
-+        throws JsonMappingException
-+    {
-+        // There are certain nasty classes that could cause problems, mostly
-+        // via default typing -- catch them here.
-+        Class<?> raw = type.getRawClass();
-+        String name = raw.getSimpleName();
-+
-+        if ("TemplatesImpl".equals(name)) { // [databind#1599] 
-+            if (raw.getName().startsWith("com.sun.org.apache.xalan")) {
-+                throw JsonMappingException.from(ctxt,
-+                        String.format("Illegal type (%s) to deserialize: prevented for security reasons",
-+                                name));
-+            }
-+        }
-+    }
- }
---- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
-+++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
-@@ -39,7 +39,33 @@
-     private final static Class<?>[] INIT_CAUSE_PARAMS = new Class<?>[] { Throwable.class };
- 
-     private final static Class<?>[] NO_VIEWS = new Class<?>[0];
--    
-+
-+    /**
-+     * Set of well-known "nasty classes", deserialization of which is considered dangerous
-+     * and should (and is) prevented by default.
-+     */
-+    protected final static Set<String> DEFAULT_NO_DESER_CLASS_NAMES;
-+    static {
-+        Set<String> s = new HashSet<String>();
-+        // Courtesy of [https://github.com/kantega/notsoserial]:
-+        // (and wrt [databind#1599]
-+        s.add("org.apache.commons.collections.functors.InvokerTransformer");
-+        s.add("org.apache.commons.collections.functors.InstantiateTransformer");
-+        s.add("org.apache.commons.collections4.functors.InvokerTransformer");
-+        s.add("org.apache.commons.collections4.functors.InstantiateTransformer");
-+        s.add("org.codehaus.groovy.runtime.ConvertedClosure");
-+        s.add("org.codehaus.groovy.runtime.MethodClosure");
-+        s.add("org.springframework.beans.factory.ObjectFactory");
-+        s.add("com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl");
-+        s.add("org.apache.xalan.xsltc.trax.TemplatesImpl");
-+        DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
-+    }
-+
-+    /**
-+     * Set of class names of types that are never to be deserialized.
-+     */
-+    protected Set<String> _cfgIllegalClassNames = DEFAULT_NO_DESER_CLASS_NAMES;
-+
-     /*
-     /**********************************************************
-     /* Life-cycle
-@@ -846,15 +871,11 @@ protected void checkIllegalTypes(DeserializationContext ctxt, JavaType type,
-     {
-         // There are certain nasty classes that could cause problems, mostly
-         // via default typing -- catch them here.
--        Class<?> raw = type.getRawClass();
--        String name = raw.getSimpleName();
--
--        if ("TemplatesImpl".equals(name)) { // [databind#1599] 
--            if (raw.getName().startsWith("com.sun.org.apache.xalan")) {
--                throw JsonMappingException.from(ctxt,
--                        String.format("Illegal type (%s) to deserialize: prevented for security reasons",
--                                name));
--            }
-+        String full = type.getRawClass().getName();
-+
-+        if (_cfgIllegalClassNames.contains(full)) {
-+            throw JsonMappingException.from(ctxt,
-+                    String.format("Illegal type (%s) to deserialize: prevented for security reasons", full));
-         }
-     }
- }
diff --git a/CVE-2018-5968.patch b/CVE-2018-5968.patch
new file mode 100644
index 0000000..909a709
--- /dev/null
+++ b/CVE-2018-5968.patch
@@ -0,0 +1,24 @@
+From 038b471e2efde2e8f96b4e0be958d3e5a1ff1d05 Mon Sep 17 00:00:00 2001
+From: Tatu Saloranta <tatu.saloranta@iki.fi>
+Date: Sun, 21 Jan 2018 21:01:07 -0800
+Subject: [PATCH] Fix #1899
+
+---
+ release-notes/VERSION                                                 | 4 +++-
+ .../fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java    | 4 ++++
+ 2 files changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+index 42273e084..37b122734 100644
+--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
++++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+@@ -51,6 +51,9 @@
+         // [databind#1855]: more 3rd party
+         s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");
+         s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");
++        // [databind#1899]: more 3rd party
++        s.add("org.hibernate.jmx.StatisticsService");
++        s.add("org.apache.ibatis.datasource.jndi.JndiDataSourceFactory");
+ 
+         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
+     }
diff --git a/jackson-databind.spec b/jackson-databind.spec
index 02e29c4..8cf781e 100644
--- a/jackson-databind.spec
+++ b/jackson-databind.spec
@@ -1,27 +1,24 @@
 Name:          jackson-databind
-Version:       2.7.6
-Release:       7%{?dist}
+Version:       2.9.3
+Release:       1%{?dist}
 Summary:       General data-binding package for Jackson (2.x)
 License:       ASL 2.0 and LGPLv2+
 URL:           http://wiki.fasterxml.com/JacksonHome
 Source0:       https://github.com/FasterXML/jackson-databind/archive/%{name}-%{version}.tar.gz
 
-# These patches can go when we update to jackson >= 2.8.11 OR jackson >= 2.7.9.2
-Patch0: CVE-2017-7525.patch
-Patch1: CVE-2017-15095.patch
-Patch2: CVE-2017-17485-1.patch
-Patch3: CVE-2017-17485-2.patch
+Patch0: CVE-2017-17485.patch
+Patch1: CVE-2018-5968.patch
 
-BuildRequires: maven-local
-BuildRequires: mvn(com.fasterxml.jackson:jackson-parent:pom:)
-BuildRequires: mvn(com.fasterxml.jackson.core:jackson-annotations) >= 2.4.1
-BuildRequires: mvn(com.fasterxml.jackson.core:jackson-core) >= 2.4.1
-BuildRequires: mvn(com.google.guava:guava)
-BuildRequires: mvn(com.google.code.maven-replacer-plugin:replacer)
-BuildRequires: mvn(org.powermock:powermock-api-mockito)
-BuildRequires: mvn(org.powermock:powermock-module-junit4)
+BuildRequires:  maven-local
+BuildRequires:  mvn(com.fasterxml.jackson.core:jackson-annotations) >= %{version}
+BuildRequires:  mvn(com.fasterxml.jackson.core:jackson-core) >= %{version}
+BuildRequires:  mvn(com.fasterxml.jackson:jackson-base:pom:) >= %{version}
+BuildRequires:  mvn(com.google.code.maven-replacer-plugin:replacer)
+BuildRequires:  mvn(org.apache.felix:maven-bundle-plugin)
+BuildRequires:  mvn(org.powermock:powermock-api-mockito)
+BuildRequires:  mvn(org.powermock:powermock-module-junit4)
 
-BuildArch:     noarch
+BuildArch:      noarch
 
 %description
 General data-binding functionality for Jackson:
@@ -36,9 +33,10 @@ This package contains javadoc for %{name}.
 %prep
 %setup -q -n %{name}-%{name}-%{version}
 %patch0 -p1
-%patch1
-%patch2 -p1
-%patch3 -p1
+%patch1 -p1
+
+# Remove plugins unnecessary for RPM builds
+%pom_remove_plugin ":maven-enforcer-plugin"
 
 cp -p src/main/resources/META-INF/LICENSE .
 cp -p src/main/resources/META-INF/NOTICE .
@@ -49,21 +47,17 @@ sed -i 's/\r//' LICENSE NOTICE
 rm src/test/java/com/fasterxml/jackson/databind/introspect/NoClassDefFoundWorkaroundTest.java
 %pom_xpath_remove pom:classpathDependencyExcludes
 
-%pom_xpath_inject "pom:plugin[pom:artifactId='maven-javadoc-plugin']/pom:configuration" "<additionalparam>-Xdoclint:none</additionalparam>"
-%pom_xpath_remove pom:failOnError
-
 # org.powermock.reflect.exceptions.FieldNotFoundException: Field 'fTestClass' was not found in class org.junit.internal.runners.MethodValidator.
 rm src/test/java/com/fasterxml/jackson/databind/type/TestTypeFactoryWithClassLoader.java
 
 # Off test that require connection with the web
-rm src/test/java/com/fasterxml/jackson/databind/ser/TestJdkTypes.java \
- src/test/java/com/fasterxml/jackson/databind/deser/TestJdkTypes.java \
+rm src/test/java/com/fasterxml/jackson/databind/ser/jdk/JDKTypeSerializationTest.java \
+ src/test/java/com/fasterxml/jackson/databind/deser/jdk/JDKStringLikeTypesTest.java \
  src/test/java/com/fasterxml/jackson/databind/TestJDKSerialization.java
 
 %mvn_file : %{name}
 
 %build
-
 %mvn_build -- -Dmaven.test.failure.ignore=true
 
 %install
@@ -77,6 +71,9 @@ rm src/test/java/com/fasterxml/jackson/databind/ser/TestJdkTypes.java \
 %license LICENSE NOTICE
 
 %changelog
+* Mon Jan 22 2018 Mat Booth <mat.booth@redhat.com> - 2.9.3-1
+- Update to latest upstream release
+
 * Mon Jan 15 2018 Mat Booth <mat.booth@redhat.com> - 2.7.6-7
 - Better patch for CVE-2017-17485
 
diff --git a/sources b/sources
index a9316f9..74629c7 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-e656289bef8f4256ac1be14d9e858f32  jackson-databind-2.7.6.tar.gz
+SHA512 (jackson-databind-2.9.3.tar.gz) = ef2fe0a944781631bae38a8ef9da603b2a5ba9cfac762ae77741bc4075a56a57981c751623c13c6f35d54b91d399e0be5d623a603659d8a53629c230907f36f8