Merge branch '2.8' into 2.9

cowtowncoder · cowtowncoder · commit 150a49f49e24 · 2018-06-07T23:10:16.000-07:00
diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x
@@ -39,7 +39,7 @@ Project: jackson-databind
   with `null` coercion with `@JsonSetter`
 #2027: Concurrency error causes `IllegalStateException` on `BeanPropertyMap`
  (reported by franboragina@github)
-#2032: Blacklist another serialization gadget (ibatis)
+#2032: CVE-2018-11307: Potential information exfiltration with default typing, serialization gadget from MyBatis
  (reported by Guixiong Wu)
 #2034: Serialization problem with type specialization of nested generic types
  (reported by Reinhard P)
@@ -48,6 +48,10 @@ Project: jackson-databind
  (reported by Chetan N)
 #2051: Implicit constructor property names are not renamed properly with
   `PropertyNamingStrategy`
+#2052: CVE-2018-12022: Block polymorphic deserialization of types from Jodd-db library
+ (reported by Guixiong Wu)
+#2058: CVE-2018-12023: Block polymorphic deserialization of types from Oracle JDBC driver
+ (reported by Guixiong Wu)
 
 2.9.5 (26-Mar-2018)
 
@@ -267,6 +271,18 @@ Project: jackson-databind
   `MapperFeature.ALLOW_COERCION_OF_SCALARS`
  (requested by magdel@github)
 
+2.8.11.2 (08-Jun-2018)
+
+#1941: `TypeFactory.constructFromCanonical()` throws NPE for Unparameterized
+  generic canonical strings
+ (reported by ayushgp@github)
+#2032: CVE-2018-11307: Potential information exfiltration with default typing, serialization gadget from MyBatis
+ (reported by Guixiong Wu)
+#2052: CVE-2018-12022: Block polymorphic deserialization of types from Jodd-db library
+ (reported by Guixiong Wu)
+#2058: CVE-2018-12023: Block polymorphic deserialization of types from Oracle JDBC driver
+ (reported by Guixiong Wu)
+
 2.8.11.1 (11-Feb-2018)
 
 #1872: `NullPointerException` in `SubTypeValidator.validateSubType` when
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -61,10 +61,11 @@ public class SubTypeValidator
         // [databind#2032]: more 3rd party; data exfiltration via xml parsed ext entities
         s.add("org.apache.ibatis.parsing.XPathParser");
 
-        // [databind#2052]: ldap approaches; in all cases LDAP connection String is passed
-        //   and access attempt is made:
-        s.add("oracle.jdbc.connector.OracleManagedConnectionFactory");
+        // [databind#2052]: Jodd-db, with jndi/ldap lookup
         s.add("jodd.db.connection.DataSourceConnectionProvider");
+
+        // [databind#2058]: Oracle JDBC driver, with jndi/ldap lookup
+        s.add("oracle.jdbc.connector.OracleManagedConnectionFactory");
         s.add("oracle.jdbc.rowset.OracleJDBCRowSet");
 
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
