Fix #2642

cowtowncoder · cowtowncoder · commit 6ba484579849 · 2020-03-10T10:25:11.000-07:00
diff --git a/release-notes/VERSION b/release-notes/VERSION
@@ -6,10 +6,12 @@ Project: jackson-databind
 
 2.7.9.7 (not yet released)
 
-#2631: Block one more gadget type (shaded-hikari-config, CVE-to-be-allocated)
+#2631: Block one more gadget type (shaded-hikari-config, CVE-2020-9546)
  (reported by threedr3am & LFY)
-#2634: Block two more gadget types (ibatis-sqlmap, anteros-core; CVE-to-be-allocated)
+#2634: Block two more gadget types (ibatis-sqlmap, anteros-core; CVE-2020-9547 / CVE-2020-9548)
  (reported by threedr3am & V1ZkRA)
+#2642: Block one more gadget type (javax.swing, CVE-to-be-allocated)
+ (reported by threedr3am)
 #2410: Block one more gadget type (HikariCP, CVE-2019-14540)
 #2420: Block one more gadget type (cxf-jax-rs, no CVE allocated yet)
 #2449: Block one more gadget type (HikariCP, CVE-2019-14439 / CVE-2019-16335)
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -133,6 +133,9 @@ public class SubTypeValidator
         s.add("com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig");
         s.add("br.com.anteros.dbcp.AnterosDBCPConfig");
 
+        // [databind#2642]: javax.swing (jdk)
+        s.add("javax.swing.JEditorPane");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }
 

Original file line number	Diff line number	Diff line change
`@@ -133,6 +133,9 @@ public class SubTypeValidator`
`133`	`133`	`s.add("com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig");`
`134`	`134`	`s.add("br.com.anteros.dbcp.AnterosDBCPConfig");`
`135`	`135`
	`136`	`+ // [databind#2642]: javax.swing (jdk)`
	`137`	`+ s.add("javax.swing.JEditorPane");`
	`138`	`+`
`136`	`139`	`DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);`
`137`	`140`	`}`
`138`	`141`