Fix #2410 #2420

FasterXML · Aug 9, 2019 · d4983c7 · d4983c7
1 parent e51a149
commit d4983c7
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 0 deletions.
diff --git a/release-notes/VERSION b/release-notes/VERSION
@@ -3,6 +3,13 @@ Project: jackson-databind
 === Releases ===
 ------------------------------------------------------------------------
 
+Unreleased but backported
+
+#2410: Block one more gadget type (CVE-2019-14540)
+  (reported by iSafeBlue@github / blue@ixsec.org)
+#2420: Block one more gadget type (no CVE allocated yet)
+  (reported by crazylirui@gmail.com)
+
 2.8.11.4 (25-Jul-2019)
 
 #2334: Block one more gadget type (CVE-2019-12384)

diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -98,6 +98,12 @@ public class SubTypeValidator
         // [databind#2389]: logback/jndi
         s.add("ch.qos.logback.core.db.JNDIConnectionSource");
 
+        // [databind#2410]: HikariCP/metricRegistry config
+        s.add("com.zaxxer.hikari.HikariConfig");
+
+        // [databind#2420]: CXF/JAX-RS provider/XSLT
+        s.add("org.apache.cxf.jaxrs.provider.XSLTJaxbProvider");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }