Merge branch '2.7' into 2.8
diff --git a/release-notes/VERSION b/release-notes/VERSION
index b52019b..73d786a 100644
--- a/release-notes/VERSION
+++ b/release-notes/VERSION
@@ -8,7 +8,11 @@
#1941: `TypeFactory.constructFromCanonical()` throws NPE for Unparameterized
generic canonical strings
(reported by ayushgp@github)
-#2032: Blacklist another serialization gadget (ibatis)
+#2032: CVE-2018-11307: Potential information exfiltration with default typing, serialization gadget from MyBatis
+ (reported by Guixiong Wu)
+#2052: CVE-2018-12022: Block polymorphic deserialization of types from Jodd-db library
+ (reported by Guixiong Wu)
+#2058: CVE-2018-12023: Block polymorphic deserialization of types from Oracle JDBC driver
(reported by Guixiong Wu)
2.8.11.1 (11-Feb-2018)
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
index 684ce94..eb45b06 100644
--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -60,10 +60,11 @@
// [databind#2032]: more 3rd party; data exfiltration via xml parsed ext entities
s.add("org.apache.ibatis.parsing.XPathParser");
- // [databind#2052]: ldap approaches; in all cases LDAP connection String is passed
- // and access attempt is made:
- s.add("oracle.jdbc.connector.OracleManagedConnectionFactory");
+ // [databind#2052]: Jodd-db, with jndi/ldap lookup
s.add("jodd.db.connection.DataSourceConnectionProvider");
+
+ // [databind#2058]: Oracle JDBC driver, with jndi/ldap lookup
+ s.add("oracle.jdbc.connector.OracleManagedConnectionFactory");
s.add("oracle.jdbc.rowset.OracleJDBCRowSet");
DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);