File tree Expand file tree Collapse file tree 2 files changed +12
-0
lines changed
src/main/java/com/fasterxml/jackson/databind/jsontype/impl Expand file tree Collapse file tree 2 files changed +12
-0
lines changed Original file line number Diff line number Diff line change @@ -3,11 +3,17 @@ Project: jackson-databind
33=== Releases ===
44------------------------------------------------------------------------
55
6+ <<<<<<< HEAD
672.8.11.4 (not released)
8+ =======
9+ 2.7.9.6 (26-Jul-2019)
10+ >>>>>>> 2.7
711
812#2326: Block one more gadget type (CVE-2019-12086)
913#2334: Block class for CVE-2019-12384
1014#2341: Block class for CVE-2019-12814
15+ #2387: Block yet another deserialization gadget (EHCache, CVE-2019-xxxxx?)
16+ #2389: Block yet another deserialization gadget (Logback, CVE-2019-xxxxx?)
1117
12182.8.11.3 (23-Nov-2018)
1319
Original file line number Diff line number Diff line change @@ -92,6 +92,12 @@ public class SubTypeValidator
9292 s .add ("org.jdom.transform.XSLTransformer" );
9393 s .add ("org.jdom2.transform.XSLTransformer" );
9494
95+ // [databind#2387]: EHCache
96+ s .add ("net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup" );
97+
98+ // [databind#2389]: logback/jndi
99+ s .add ("ch.qos.logback.core.db.JNDIConnectionSource" );
100+
95101 DEFAULT_NO_DESER_CLASS_NAMES = Collections .unmodifiableSet (s );
96102 }
97103
You can’t perform that action at this time.
0 commit comments