Merge branch '2.9' into 2.10

cowtowncoder · cowtowncoder · commit 06cf17d95430 · 2019-09-12T13:17:56.000-07:00
diff --git a/release-notes/CREDITS-2.x b/release-notes/CREDITS-2.x
@@ -661,6 +661,10 @@ svarzee@github
   * Reported #2109, suggested fix: Canonical string for reference type is built incorrectly
    (2.8.11.3 / 2.9.7)
 
+Kaki King (kingkk9279@g)
+  * Reported #2449: Block one more gadget type (cve CVE-2019-14540)
+   (2.9.10)
+  
 Connor Kuhn (ckuhn@github)
   * Contributed #1341: FAIL_ON_MISSING_EXTERNAL_TYPE_ID_PROPERTY
    (2.9.0)
diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x
@@ -115,13 +115,15 @@ Project: jackson-databind
 #2387: Block yet another deserialization gadget (CVE-2019-14379)
 #2389: Block yet another deserialization gadget (CVE-2019-14439)
  (reported by xiexq)
+#2404: FAIL_ON_MISSING_EXTERNAL_TYPE_ID_PROPERTY setting ignored when
+  creator properties are buffered
+ (contributed by Joe B)
 #2410: Block one more gadget type (CVE-2019-14540)
   (reported by iSafeBlue@github / blue@ixsec.org)
 #2420: Block one more gadget type (no CVE allocated yet)
   (reported by crazylirui@gmail.com)
-#2404: FAIL_ON_MISSING_EXTERNAL_TYPE_ID_PROPERTY setting ignored when
-  creator properties are buffered
- (contributed by Joe B)
+#2449: Block one more gadget type (no CVE allocated yet)
+  (reported by Kaki K)
 
 2.9.9 (16-May-2019)
 
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -98,6 +98,8 @@ public class SubTypeValidator
 
         // [databind#2410]: HikariCP/metricRegistry config
         s.add("com.zaxxer.hikari.HikariConfig");
+        // [databind#2449]: and sub-class thereof
+        s.add("com.zaxxer.hikari.HikariDataSource");
 
         // [databind#2420]: CXF/JAX-RS provider/XSLT
         s.add("org.apache.cxf.jaxrs.provider.XSLTJaxbProvider");
