Merge branch '2.9' into 2.10

cowtowncoder · cowtowncoder · commit b515f6fd7753 · 2019-07-25T22:39:40.000-07:00
diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x
@@ -59,6 +59,11 @@ Project: jackson-databind
 #2339: Suboptimal return type for `ObjectNode.set()`
  (reported by Victor N)
 
+2.9.9.2 (not yet released)
+
+#2387: Block yet another deserialization gadget (EHCache, CVE-2019-xxxxx?)
+#2389: Block yet another deserialization gadget (Logback, CVE-2019-xxxxx?)
+
 2.9.9.1 (03-Jul-2019)
 
 #2331: `JsonMappingException` through nested getter with generic wildcard return type
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -90,6 +90,12 @@ public class SubTypeValidator
         s.add("org.jdom.transform.XSLTransformer");
         s.add("org.jdom2.transform.XSLTransformer");
 
+        // [databind#2387]: EHCache
+        s.add("net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup");
+
+        // [databind#2389]: logback/jndi
+        s.add("ch.qos.logback.core.db.JNDIConnectionSource");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }
 
