Merge branch '2.8' into 2.9

cowtowncoder · cowtowncoder · commit 29a76b22f4a9 · 2019-09-19T21:46:16.000-07:00
diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x
@@ -22,6 +22,7 @@ Project: jackson-databind
   (reported by crazylirui@gmail.com)
 #2449: Block one more gadget type (CVE-2019-14540)
   (reported by kingkk)
+#2460: Block one mode gadget type (ehcache, no CVE allocated yet)
 
 2.9.9 (16-May-2019)
 
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -90,8 +90,9 @@ public class SubTypeValidator
         s.add("org.jdom.transform.XSLTransformer");
         s.add("org.jdom2.transform.XSLTransformer");
 
-        // [databind#2387]: EHCache
+        // [databind#2387], [databind#2460]: EHCache
         s.add("net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup");
+        s.add("net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup");
 
         // [databind#2389]: logback/jndi
         s.add("ch.qos.logback.core.db.JNDIConnectionSource");
