File tree Expand file tree Collapse file tree 2 files changed +12
-0
lines changed
src/main/java/com/fasterxml/jackson/databind/jsontype/impl Expand file tree Collapse file tree 2 files changed +12
-0
lines changed Original file line number Diff line number Diff line change @@ -59,8 +59,14 @@ Project: jackson-databind
5959#2339 : Suboptimal return type for `ObjectNode.set()`
6060 (reported by Victor N)
6161
62+ 2.9.9.2 (not yet released)
63+
64+ #2387 : Block yet another deserialization gadget (EHCache, CVE-2019 -xxxxx?)
65+ #2389 : Block yet another deserialization gadget (Logback, CVE-2019 -xxxxx?)
66+
62672.9.9.1 (03 -Jul-2019 )
6368
69+ #2331 : `JsonMappingException` through nested getter with generic wildcard return type
6470#2334 : Block one more gadget type (CVE-2019 -12384 )
6571#2341 : Block one more gadget type (CVE-2019 -12814 )
6672#2374 : `ObjectMapper. getRegisteredModuleIds()` throws NPE if no modules registered
Original file line number Diff line number Diff line change @@ -90,6 +90,12 @@ public class SubTypeValidator
9090 s .add ("org.jdom.transform.XSLTransformer" );
9191 s .add ("org.jdom2.transform.XSLTransformer" );
9292
93+ // [databind#2387]: EHCache
94+ s .add ("net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup" );
95+
96+ // [databind#2389]: logback/jndi
97+ s .add ("ch.qos.logback.core.db.JNDIConnectionSource" );
98+
9399 DEFAULT_NO_DESER_CLASS_NAMES = Collections .unmodifiableSet (s );
94100 }
95101
You can’t perform that action at this time.
0 commit comments