commit 150a49f49e24778d7829bde4206e4c478f99e91f
author Tatu Saloranta <tatu.saloranta@iki.fi> Thu Jun 07 23:10:16 2018 -0700
committer Tatu Saloranta <tatu.saloranta@iki.fi> Thu Jun 07 23:10:16 2018 -0700
tree 51934ac11c4357e9f06af65aa8fbd5308c2469a4
parent bab96c4fee0a1253ef5cafea9ba4e8c34ba75458
parent bc5e138dfaf572ea519cbfefe36a9bec8b017365

Merge branch '2.8' into 2.9

release-notes/VERSION-2.x

diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x
index f4f044c..391f20b 100644
--- a/release-notes/VERSION-2.x
+++ b/release-notes/VERSION-2.x
@@ -39,7 +39,7 @@
   with `null` coercion with `@JsonSetter`
 #2027: Concurrency error causes `IllegalStateException` on `BeanPropertyMap`
  (reported by franboragina@github)
-#2032: Blacklist another serialization gadget (ibatis)
+#2032: CVE-2018-11307: Potential information exfiltration with default typing, serialization gadget from MyBatis
  (reported by Guixiong Wu)
 #2034: Serialization problem with type specialization of nested generic types
  (reported by Reinhard P)
@@ -48,6 +48,10 @@
  (reported by Chetan N)
 #2051: Implicit constructor property names are not renamed properly with
   `PropertyNamingStrategy`
+#2052: CVE-2018-12022: Block polymorphic deserialization of types from Jodd-db library
+ (reported by Guixiong Wu)
+#2058: CVE-2018-12023: Block polymorphic deserialization of types from Oracle JDBC driver
+ (reported by Guixiong Wu)
 
 2.9.5 (26-Mar-2018)
 
@@ -267,6 +271,18 @@
   `MapperFeature.ALLOW_COERCION_OF_SCALARS`
  (requested by magdel@github)
 
+2.8.11.2 (08-Jun-2018)
+
+#1941: `TypeFactory.constructFromCanonical()` throws NPE for Unparameterized
+  generic canonical strings
+ (reported by ayushgp@github)
+#2032: CVE-2018-11307: Potential information exfiltration with default typing, serialization gadget from MyBatis
+ (reported by Guixiong Wu)
+#2052: CVE-2018-12022: Block polymorphic deserialization of types from Jodd-db library
+ (reported by Guixiong Wu)
+#2058: CVE-2018-12023: Block polymorphic deserialization of types from Oracle JDBC driver
+ (reported by Guixiong Wu)
+
 2.8.11.1 (11-Feb-2018)
 
 #1872: `NullPointerException` in `SubTypeValidator.validateSubType` when

src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java

diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
index 02a11b6..a2f7a8f 100644
--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -61,10 +61,11 @@
         // [databind#2032]: more 3rd party; data exfiltration via xml parsed ext entities
         s.add("org.apache.ibatis.parsing.XPathParser");
 
-        // [databind#2052]: ldap approaches; in all cases LDAP connection String is passed
-        //   and access attempt is made:
-        s.add("oracle.jdbc.connector.OracleManagedConnectionFactory");
+        // [databind#2052]: Jodd-db, with jndi/ldap lookup
         s.add("jodd.db.connection.DataSourceConnectionProvider");
+
+        // [databind#2058]: Oracle JDBC driver, with jndi/ldap lookup
+        s.add("oracle.jdbc.connector.OracleManagedConnectionFactory");
         s.add("oracle.jdbc.rowset.OracleJDBCRowSet");
 
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);