File _service:obs_scm:CVE-2020-13936-2.patch of Package velocity

From cf85e450636afbe0408354ff04a4018659e64955 Mon Sep 17 00:00:00 2001
From: Will Glass-Husain <wglass@forio.com>
Date: Thu, 16 Jul 2020 22:31:22 -0700
Subject: [PATCH] update list of restricted classes

---
 .../velocity/runtime/defaults/velocity.properties     | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/src/java/org/apache/velocity/runtime/defaults/velocity.properties b/src/java/org/apache/velocity/runtime/defaults/velocity.properties
index 504cbcc..fd1063a 100644
--- a/src/java/org/apache/velocity/runtime/defaults/velocity.properties
+++ b/src/java/org/apache/velocity/runtime/defaults/velocity.properties
@@ -245,9 +245,13 @@ runtime.introspector.uberspect = org.apache.velocity.util.introspection.Uberspec
 # accessed.
 # ----------------------------------------------------------------------------
 
+# Prohibit reflection
 introspector.restrict.packages = java.lang.reflect
 
-## ClassLoader, Thread, and subclasses disabled by default in SecureIntrospectorImpl
+# ClassLoader, Thread, and subclasses disabled by default in SecureIntrospectorImpl
+
+# Restrict these system classes.  Note that anything in this list is matched exactly.
+# (Subclasses must be explicitly named to be included).
 
 introspector.restrict.classes = java.lang.Class
 introspector.restrict.classes = java.lang.Compiler
@@ -261,4 +265,9 @@ introspector.restrict.classes = java.lang.System
 introspector.restrict.classes = java.lang.ThreadGroup
 introspector.restrict.classes = java.lang.ThreadLocal
 
+# Restrict instance managers for common servlet containers  (Tomcat, JBoss, Jetty)
+
+introspector.restrict.classes = org.apache.catalina.core.DefaultInstanceManager
+introspector.restrict.classes = org.wildfly.extension.undertow.deployment.UndertowJSPInstanceManager
+introspector.restrict.classes = org.eclipse.jetty.util.DecoratedObjectFactory
 
-- 
2.23.0