Block one more gadget type (ehcache, CVE-2019-17267)

ablekhman · ablekhman · commit fd5fc28f8a51 · 2019-10-23T11:04:55.000+11:00
Merged from FasterXML/jackson-databind#2460
diff --git a/release-notes/VERSION b/release-notes/VERSION
@@ -43,6 +43,7 @@ One more patch release for 1.9.
  (reported by crazylirui@gmail.com)
 * [databind#2449]: Block one more gadget type (cve CVE-2019-14540)
  (reported by Kaki K)
+* [databind#2460]: Block one mode gadget type (ehcache, CVE-2019-17267)
 
 1.9.13 (14-Jul-2013)
 
diff --git a/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java b/src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java
@@ -83,8 +83,9 @@ public class SubTypeValidator
         // [databind#2341]: jdom/jdom2
         s.add("org.jdom.transform.XSLTransformer");
         s.add("org.jdom2.transform.XSLTransformer");
-        // [databind#2387]: EHCache
+        // [databind#2387], [databind#2460]: EHCache
         s.add("net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup");
+        s.add("net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup");
         // [databind#2389]: logback/jndi
         s.add("ch.qos.logback.core.db.JNDIConnectionSource");
         // [databind#2410]: HikariCP/metricRegistry config
