Merge branch '2.7' into 2.8

cowtowncoder · cowtowncoder · commit 4e0c38c9ea45 · 2020-03-10T10:32:09.000-07:00
diff --git a/release-notes/VERSION b/release-notes/VERSION
@@ -3,6 +3,16 @@ Project: jackson-databind
 === Releases ===
 ------------------------------------------------------------------------
 
+2.8.11.5 (not yet releaased)
+
+#2631: Block one more gadget type (shaded-hikari-config, CVE-2020-9546)
+ (reported by threedr3am & LFY)
+#2634: Block two more gadget types (ibatis-sqlmap, anteros-core; CVE-2020-9547 / CVE-2020-9548)
+ (reported by threedr3am & V1ZkRA)
+#2642: Block one more gadget type (javax.swing, CVE-to-be-allocated)
+ (reported by threedr3am)
+#2648: Block one more gadget type (shiro-core, CVE-to-be-allocated)
+
 2.8.11.5 (10-Feb-2020)
 
 #2410: Block one more gadget type (CVE-2019-14540)
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -66,9 +66,6 @@ public class SubTypeValidator
         // [databind#2058]: Oracle JDBC driver, with jndi/ldap lookup
         s.add("oracle.jdbc.connector.OracleManagedConnectionFactory");
         s.add("oracle.jdbc.rowset.OracleJDBCRowSet");
-        // [databind#1899]: more 3rd party
-        s.add("org.hibernate.jmx.StatisticsService");
-        s.add("org.apache.ibatis.datasource.jndi.JndiDataSourceFactory");
 
         // [databind#2097]: some 3rd party, one JDK-bundled
         s.add("org.slf4j.ext.EventData");
@@ -129,7 +126,20 @@ public class SubTypeValidator
 
         // [databind#2620]: xbean-reflect
         s.add("org.apache.xbean.propertyeditor.JndiConverter");
-        
+
+        // [databind#2631]: shaded hikari-config
+        s.add("org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig");
+
+        // [databind#2634]: ibatis-sqlmap, anteros-core
+        s.add("com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig");
+        s.add("br.com.anteros.dbcp.AnterosDBCPConfig");
+
+        // [databind#2642]: javax.swing (jdk)
+        s.add("javax.swing.JEditorPane");
+
+        // [databind#2648]: shire-core
+        s.add("org.apache.shiro.realm.jndi.JndiRealmFactory");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }
 
