Fixing issues #2631 and #2634

cowtowncoder · cowtowncoder · commit 9f4e97019fb0 · 2020-02-29T17:35:12.000-08:00
diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x
@@ -4,6 +4,13 @@ Project: jackson-databind
 === Releases === 
 ------------------------------------------------------------------------
 
+2.9.10.4 (not yet released)
+
+#2631: Block one more gadget type (shaded-hikari-config, CVE-to-be-allocated)
+ (reported by threedr3am & LFY)
+#2634: Block two more gadget types (ibatis-sqlmap, anteros-core; CVE-to-be-allocated)
+ (reported by threedr3am & V1ZkRA)
+
 2.9.10.3 (23-Feb-2020)
 
 #2620: Block one more gadget type (xbean-reflect/JNDI - CVE-2020-8840)
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -128,6 +128,13 @@ public class SubTypeValidator
         // [databind#2620]: xbean-reflect
         s.add("org.apache.xbean.propertyeditor.JndiConverter");
 
+        // [databind#2631]: shaded hikari-config
+        s.add("org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig");
+
+        // [databind#2634]: ibatis-sqlmap, anteros-core
+        s.add("com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig");
+        s.add("br.com.anteros.dbcp.AnterosDBCPConfig");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }
 
