Merge branch '2.7' into 2.8
diff --git a/release-notes/VERSION b/release-notes/VERSION
index 2f72cd3..64d8b68 100644
--- a/release-notes/VERSION
+++ b/release-notes/VERSION
@@ -5,6 +5,8 @@
2.8.11.3 (not yet released)
+#2097: Block more classes from polymorphic deserialization (CVE-2018-14718
+ - CVE-2018-14721)
#2109: Canonical string for reference type is built incorrectly
(reported by svarzee@github)
@@ -305,9 +307,10 @@
#1225: `JsonMappingException` should override getProcessor()
(reported by Nick B)
-2.6.8 (if ever released)
+2.6.7.1 (11-Jul-2017)
#1383: Problem with `@JsonCreator` with 1-arg factory-method, implicit param names
+#1599: Backport the extra safety checks for polymorphic deserialization
2.6.7 (05-Jun-2016)
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
index eb45b06..ca800c3 100644
--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -66,6 +66,15 @@
// [databind#2058]: Oracle JDBC driver, with jndi/ldap lookup
s.add("oracle.jdbc.connector.OracleManagedConnectionFactory");
s.add("oracle.jdbc.rowset.OracleJDBCRowSet");
+ // [databind#1899]: more 3rd party
+ s.add("org.hibernate.jmx.StatisticsService");
+ s.add("org.apache.ibatis.datasource.jndi.JndiDataSourceFactory");
+
+ // [databind#2097]: some 3rd party, one JDK-bundled
+ s.add("org.slf4j.ext.EventData");
+ s.add("flex.messaging.util.concurrent.AsynchBeansWorkManagerExecutor");
+ s.add("com.sun.deploy.security.ruleset.DRSHelper");
+ s.add("org.apache.axis2.jaxws.spi.handler.HandlerResolverImpl");
DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
}