From 73c1c2cc76e6cdd7f3a5615cbe3207fe96e4d3db Mon Sep 17 00:00:00 2001 From: Tatu Saloranta Date: Thu, 12 Sep 2019 13:06:31 -0700 Subject: [PATCH] Fix #2449 --- release-notes/CREDITS | 4 ++++ release-notes/VERSION | 2 ++ .../jackson/databind/jsontype/impl/SubTypeValidator.java | 2 ++ 3 files changed, 8 insertions(+) diff --git a/release-notes/CREDITS b/release-notes/CREDITS index a4dc78c92c..bd809e3175 100644 --- a/release-notes/CREDITS +++ b/release-notes/CREDITS @@ -646,6 +646,10 @@ svarzee@github * Reported #2109, suggested fix: Canonical string for reference type is built incorrectly (2.8.11.3 / 2.9.7) +Kaki King (kingkk9279@g) + * Reported #2449: Block one more gadget type (cve CVE-2019-14540) + (2.9.10) + Connor Kuhn (ckuhn@github) * Contributed #1341: FAIL_ON_MISSING_EXTERNAL_TYPE_ID_PROPERTY (2.9.0) diff --git a/release-notes/VERSION b/release-notes/VERSION index 67c5b565a9..37f9d55ee4 100644 --- a/release-notes/VERSION +++ b/release-notes/VERSION @@ -9,6 +9,8 @@ Unreleased but backported (reported by iSafeBlue@github / blue@ixsec.org) #2420: Block one more gadget type (no CVE allocated yet) (reported by crazylirui@gmail.com) +#2449: Block one more gadget type (cve CVE-2019-14540) + (reported by Kaki K) 2.8.11.4 (25-Jul-2019) diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java index 0abadfdf33..31f070ce53 100644 --- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java +++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java @@ -100,6 +100,8 @@ public class SubTypeValidator // [databind#2410]: HikariCP/metricRegistry config s.add("com.zaxxer.hikari.HikariConfig"); + // [databind#2449]: and sub-class thereof + s.add("com.zaxxer.hikari.HikariDataSource"); // [databind#2420]: CXF/JAX-RS provider/XSLT s.add("org.apache.cxf.jaxrs.provider.XSLTJaxbProvider");