commit 87d29af25e82a249ea15858e2d4ecbf64091db44
author Tatu Saloranta <tatu.saloranta@iki.fi> Thu Aug 16 14:42:57 2018 -0700
committer Tatu Saloranta <tatu.saloranta@iki.fi> Thu Aug 16 14:42:57 2018 -0700
tree b1e21ec1276c672befe9d1a022f0fbbe701b7ece
parent a054585e2175ad0882f07bcafedecfac86230f1b

Fix #2097 for 2.6.7.2

release-notes/VERSION

diff --git a/release-notes/VERSION b/release-notes/VERSION
index 859acc7..30efa6f 100644
--- a/release-notes/VERSION
+++ b/release-notes/VERSION
@@ -5,7 +5,10 @@
 ------------------------------------------------------------------------
 
 2.6.7.2 (not yet released)
+
 #1737: Block more JDK types from polymorphic deserialization
+#2097: Block more classes from polymorphic deserialization (CVE-2018-14718
+  - CVE-2018-14721)
 
 2.6.7.1 (11-Jul-2017)
 

src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java

diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
index 0b1613b..fb4c904 100644
--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
@@ -68,6 +68,12 @@
         s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
         s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");
 
+        // [databind#2097]: some 3rd party, one JDK-bundled
+        s.add("org.slf4j.ext.EventData");
+        s.add("flex.messaging.util.concurrent.AsynchBeansWorkManagerExecutor");
+        s.add("com.sun.deploy.security.ruleset.DRSHelper");
+        s.add("org.apache.axis2.jaxws.spi.handler.HandlerResolverImpl");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }