Merge branch '2.8' into 2.9

cowtowncoder · cowtowncoder · commit f4ce9dcfe4d6 · 2019-06-12T22:25:26.000-07:00
diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x
@@ -4,6 +4,10 @@ Project: jackson-databind
 === Releases === 
 ------------------------------------------------------------------------
 
+2.9.9.1 (not yet released)
+
+#2326: Block one more gadget type (CVE-2019-12384)
+
 2.9.9 (16-May-2019)
 
 #1408: Call to `TypeVariable.getBounds()` without synchronization unsafe on some platforms
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -80,9 +80,12 @@ public class SubTypeValidator
         s.add("org.apache.openjpa.ee.JNDIManagedRuntime");
         s.add("org.apache.axis2.transport.jms.JMSOutTransportInfo");
 
-        // [databind#2326] (2.9.9): one more 3rd party gadget
+        // [databind#2326] (2.9.9)
         s.add("com.mysql.cj.jdbc.admin.MiniAdmin");
 
+        // [databind#2334] (2.9.9.1)
+        s.add("ch.qos.logback.core.db.DriverManagerConnectionSource");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }
 
