Merge branch '2.8' into 2.9

Author: cowtowncoder

pom.xml

@@ -10,7 +10,7 @@
 
   <groupId>com.fasterxml.jackson.core</groupId>
   <artifactId>jackson-databind</artifactId>
-  <version>2.9.10-SNAPSHOT</version>
+  <version>2.9.9.2-SNAPSHOT</version>
   <name>jackson-databind</name>
   <packaging>bundle</packaging>
   <description>General data-binding functionality for Jackson: works on core streaming API</description>

release-notes/VERSION-2.x

@@ -4,6 +4,11 @@ Project: jackson-databind
 === Releases === 
 ------------------------------------------------------------------------
 
+2.9.9.2 (not yet released)
+
+#2387: Block yet another deserialization gadget (EHCache, CVE-2019-xxxxx?)
+#2389: Block yet another deserialization gadget (Logback, CVE-2019-xxxxx?)
+
 2.9.9.1 (03-Jul-2019)
 
 #2331: `JsonMappingException` through nested getter with generic wildcard return type
@@ -29,6 +34,7 @@ Project: jackson-databind
 #2324: `StringCollectionDeserializer` fails with custom collection
  (reported byb Daniil B)
 #2326: Block one more gadget type (CVE-2019-12086)
+<<<<<<< HEAD:release-notes/VERSION-2.x
 - Prevent String coercion of `null` in `WritableObjectId` when calling `JsonGenerator.writeObjectId()`,
   mostly relevant for formats like YAML that have native Object Ids
 

src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java

@@ -90,6 +90,12 @@ public class SubTypeValidator
         s.add("org.jdom.transform.XSLTransformer");
         s.add("org.jdom2.transform.XSLTransformer");
 
+        // [databind#2387]: EHCache
+        s.add("net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup");
+
+        // [databind#2389]: logback/jndi
+        s.add("ch.qos.logback.core.db.JNDIConnectionSource");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }