Merge branch '2.9' into 2.10

cowtowncoder · cowtowncoder · commit 1731fd7d3fa5 · 2019-08-09T16:44:12.000-07:00
diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x
@@ -69,6 +69,13 @@ Project: jackson-databind
 #2339: Suboptimal return type for `ObjectNode.set()`
  (reported by Victor N)
 
+2.9.10 (not yet released)
+
+#2410: Block one more gadget type (CVE-2019-14540)
+  (reported by iSafeBlue@github / blue@ixsec.org)
+#2420: Block one more gadget type (no CVE allocated yet)
+  (reported by crazylirui@gmail.com)
+
 2.9.9.3 (06-Aug-2019)
 
 #2395: `NullPointerException` from `ResolvedRecursiveType` (regression due to fix for #2331)
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -96,6 +96,12 @@ public class SubTypeValidator
         // [databind#2389]: logback/jndi
         s.add("ch.qos.logback.core.db.JNDIConnectionSource");
 
+        // [databind#2410]: HikariCP/metricRegistry config
+        s.add("com.zaxxer.hikari.HikariConfig");
+
+        // [databind#2420]: CXF/JAX-RS provider/XSLT
+        s.add("org.apache.cxf.jaxrs.provider.XSLTJaxbProvider");
+        
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }
 
