Merge branch '2.7' into 2.8

cowtowncoder · cowtowncoder · commit 4c935660a4d7 · 2019-06-12T22:23:01.000-07:00
diff --git a/release-notes/VERSION b/release-notes/VERSION
@@ -6,6 +6,7 @@ Project: jackson-databind
 2.8.11.4 (not released)
 
 #2326: Block one more gadget type (CVE-2019-12086)
+#2334: Block class for CVE-2019-12384
 
 2.8.11.3 (23-Nov-2018)
 
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -82,9 +82,12 @@ public class SubTypeValidator
         s.add("org.apache.openjpa.ee.JNDIManagedRuntime");
         s.add("org.apache.axis2.transport.jms.JMSOutTransportInfo");
 
-        // [databind#2326] (2.8.11.4: one more 3rd party gadget
+        // [databind#2326]
         s.add("com.mysql.cj.jdbc.admin.MiniAdmin");        
 
+        // [databind#2334]
+        s.add("ch.qos.logback.core.db.DriverManagerConnectionSource");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }
 
