Backport 6 CVE fixes from 2.8 (now up to 2.9.10[.1] set, similar to 2.6.7.3)

Author: cowtowncoder

release-notes/VERSION

@@ -4,6 +4,15 @@ Project: jackson-databind
 === Releases ===
 ------------------------------------------------------------------------
 
+2.7.9.7 (not yet released)
+
+#2410: Block one more gadget type (HikariCP, CVE-2019-14540)
+#2420: Block one more gadget type (cxf-jax-rs, no CVE allocated yet)
+#2449: Block one more gadget type (HikariCP, CVE-2019-14439 / CVE-2019-16335)
+#2462: Block two more gadget types (commons-configuration/-2)
+#2478: Block two more gadget types (commons-dbcp, p6spy, CVE-2019-16942 / CVE-2019-16943)
+#2498: Block one more gadget type (apache-log4j-extras/1.2, CVE-2019-17531)
+
 2.7.9.6 (26-Jul-2019)
 
 #2326: Block one more gadget type (CVE-2019-12086)

src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java

@@ -54,6 +54,9 @@ public class SubTypeValidator
         // [databind#1855]: more 3rd party
         s.add("org.apache.tomcat.dbcp.dbcp2.BasicDataSource");
         s.add("com.sun.org.apache.bcel.internal.util.ClassLoader");
+        // [databind#1899]: more 3rd party
+        s.add("org.hibernate.jmx.StatisticsService");
+        s.add("org.apache.ibatis.datasource.jndi.JndiDataSourceFactory");
         // [databind#2032]: more 3rd party; data exfiltration via xml parsed ext entities
         s.add("org.apache.ibatis.parsing.XPathParser");
 
@@ -63,9 +66,6 @@ public class SubTypeValidator
         // [databind#2058]: Oracle JDBC driver, with jndi/ldap lookup
         s.add("oracle.jdbc.connector.OracleManagedConnectionFactory");
         s.add("oracle.jdbc.rowset.OracleJDBCRowSet");
-        // [databind#1899]: more 3rd party
-        s.add("org.hibernate.jmx.StatisticsService");
-        s.add("org.apache.ibatis.datasource.jndi.JndiDataSourceFactory");
 
         // [databind#2097]: some 3rd party, one JDK-bundled
         s.add("org.slf4j.ext.EventData");