Fix #2662, #2664, #2666

cowtowncoder · cowtowncoder · commit 05d7e0e13f43 · 2020-03-25T13:18:59.000-07:00
diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x
@@ -20,6 +20,12 @@ Project: jackson-databind
  (reported by Srikanth Ramu)
 #2660: Block one more gadget type (caucho-quercus, CVE-2020-10673)
  (reported by threedr3am'follower)
+#2662: Block one more gadget type (bus-proxy)
+ (reported by XuYuanzhen)
+#2664: Block one more gadget type (activemq)
+ (reported by Srikanth Ramu)
+#2666: Block one more gadget type (apache/commons-proxy)
+ (reported by Yiting Fan)
 
 2.9.10.3 (23-Feb-2020)
 
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -153,7 +153,17 @@ public class SubTypeValidator
 
         // [databind#2660]: caucho-quercus
         s.add("com.caucho.config.types.ResourceRef");
-        
+
+        // [databind#2662]: aoju/bus-proxy
+        s.add("org.aoju.bus.proxy.provider.RmiProvider");
+        s.add("org.aoju.bus.proxy.provider.remoting.RmiProvider");
+
+        // [databind#2664]: activemq-jms
+        s.add("org.apache.activemq.jms.pool.XaPooledConnectionFactory");
+
+        // [databind#2666]: apache/commons-jms
+        s.add("org.apache.commons.proxy.provider.remoting.RmiProvider");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }
 
