Fixing issues FasterXML#2631 and FasterXML#2634

cowtowncoder · qxo · commit 19fab87902e4 · 2020-03-10T20:34:22.000+08:00
diff --git a/release-notes/VERSION b/release-notes/VERSION
@@ -6,6 +6,10 @@ Project: jackson-databind
 
 2.7.9.7 (not yet released)
 
+#2631: Block one more gadget type (shaded-hikari-config, CVE-to-be-allocated)
+ (reported by threedr3am & LFY)
+#2634: Block two more gadget types (ibatis-sqlmap, anteros-core; CVE-to-be-allocated)
+ (reported by threedr3am & V1ZkRA)
 #2410: Block one more gadget type (HikariCP, CVE-2019-14540)
 #2420: Block one more gadget type (cxf-jax-rs, no CVE allocated yet)
 #2449: Block one more gadget type (HikariCP, CVE-2019-14439 / CVE-2019-16335)
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -125,7 +125,14 @@ public class SubTypeValidator
 
         // [databind#2620]: xbean-reflect
         s.add("org.apache.xbean.propertyeditor.JndiConverter");
-        
+
+        // [databind#2631]: shaded hikari-config
+        s.add("org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig");
+
+        // [databind#2634]: ibatis-sqlmap, anteros-core
+        s.add("com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig");
+        s.add("br.com.anteros.dbcp.AnterosDBCPConfig");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }
 
