Backport #2052, #2058 fixes for 2.7.9.4
diff --git a/release-notes/VERSION b/release-notes/VERSION
index 49e4fd8..f37c3b0 100644
--- a/release-notes/VERSION
+++ b/release-notes/VERSION
@@ -4,9 +4,11 @@
=== Releases ===
------------------------------------------------------------------------
-2.7.9.4 (not yet released)
+2.7.9.4 (08-Jun-2018)
#2032: Blacklist another serialization gadget (ibatis)
+#2052: CVE-2018-12022: Block polymorphic deserialization of types from Jodd-db library
+#2058: CVE-2018-12023: Block polymorphic deserialization of types from Oracle JDBC driver
2.7.9.3 (11-Feb-2018)
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
index cae5a9e..23ec728 100644
--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -57,6 +57,13 @@
// [databind#2032]: more 3rd party; data exfiltration via xml parsed ext entities
s.add("org.apache.ibatis.parsing.XPathParser");
+ // [databind#2052]: Jodd-db, with jndi/ldap lookup
+ s.add("jodd.db.connection.DataSourceConnectionProvider");
+
+ // [databind#2058]: Oracle JDBC driver, with jndi/ldap lookup
+ s.add("oracle.jdbc.connector.OracleManagedConnectionFactory");
+ s.add("oracle.jdbc.rowset.OracleJDBCRowSet");
+
DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
}