Merge branch '2.7' into 2.8

cowtowncoder · cowtowncoder · commit 862fca92390f · 2019-06-13T20:27:14.000-07:00
diff --git a/release-notes/VERSION b/release-notes/VERSION
@@ -7,6 +7,7 @@ Project: jackson-databind
 
 #2326: Block one more gadget type (CVE-2019-12086)
 #2334: Block class for CVE-2019-12384
+#2341: Block class for CVE-2019-12814
 
 2.8.11.3 (23-Nov-2018)
 
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -85,9 +85,13 @@ public class SubTypeValidator
         // [databind#2326]
         s.add("com.mysql.cj.jdbc.admin.MiniAdmin");        
 
-        // [databind#2334]
+        // [databind#2334]: logback-core
         s.add("ch.qos.logback.core.db.DriverManagerConnectionSource");
 
+        // [databind#2341]: jdom/jdom2
+        s.add("org.jdom.transform.XSLTransformer");
+        s.add("org.jdom2.transform.XSLTransformer");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }
 
