From 19fab87902e4846f29f86894e9dba025e7371cb8 Mon Sep 17 00:00:00 2001 From: Tatu Saloranta Date: Sat, 29 Feb 2020 17:35:12 -0800 Subject: [PATCH] Fixing issues #2631 and #2634 --- release-notes/VERSION | 4 ++++ .../jackson/databind/jsontype/impl/SubTypeValidator.java | 9 ++++++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/release-notes/VERSION b/release-notes/VERSION index 9c6a744775..ec12be41dd 100644 --- a/release-notes/VERSION +++ b/release-notes/VERSION @@ -6,6 +6,10 @@ Project: jackson-databind 2.7.9.7 (not yet released) +#2631: Block one more gadget type (shaded-hikari-config, CVE-to-be-allocated) + (reported by threedr3am & LFY) +#2634: Block two more gadget types (ibatis-sqlmap, anteros-core; CVE-to-be-allocated) + (reported by threedr3am & V1ZkRA) #2410: Block one more gadget type (HikariCP, CVE-2019-14540) #2420: Block one more gadget type (cxf-jax-rs, no CVE allocated yet) #2449: Block one more gadget type (HikariCP, CVE-2019-14439 / CVE-2019-16335) diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java index 7234cc127a..68dd3d8e42 100644 --- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java @@ -125,7 +125,14 @@ public class SubTypeValidator // [databind#2620]: xbean-reflect s.add("org.apache.xbean.propertyeditor.JndiConverter"); - + + // [databind#2631]: shaded hikari-config + s.add("org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig"); + + // [databind#2634]: ibatis-sqlmap, anteros-core + s.add("com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig"); + s.add("br.com.anteros.dbcp.AnterosDBCPConfig"); + DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s); }