Fix #2326

commit: dda513bd7251b4f32b7b60b1c13740e3b5a43024 [log] [tgz]
author: Tatu Saloranta <tatu.saloranta@iki.fi> Tue May 14 07:42:10 2019 -0700
committer: Tatu Saloranta <tatu.saloranta@iki.fi> Tue May 14 07:42:10 2019 -0700
tree: ee96c7959ee1cbc617afec01b1235b342a6faf76
parent: 8bb7c9abca9a2e298a2436cb995ba1721e49de5c [diff]
diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x
index 024d8f2..ce86e7c 100644
--- a/release-notes/VERSION-2.x
+++ b/release-notes/VERSION-2.x

@@ -20,6 +20,7 @@
  (reported by Cyril M)
 #2324: `StringCollectionDeserializer` fails with custom collection
  (reported byb Daniil B)
+#2326: Block one more gadget type (CVE-2019-12086)
 - Prevent String coercion of `null` in `WritableObjectId` when calling `JsonGenerator.writeObjectId()`,
   mostly relevant for formats like YAML that have native Object Ids
 

diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
index 30adb94..a17cdf5 100644
--- a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
+++ b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java

@@ -80,6 +80,9 @@
         s.add("org.apache.openjpa.ee.JNDIManagedRuntime");
         s.add("org.apache.axis2.transport.jms.JMSOutTransportInfo");
 
+        // [databind#2326] (2.9.9): one more 3rd party gadget
+        s.add("com.mysql.cj.jdbc.admin.MiniAdmin");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }
commit	dda513bd7251b4f32b7b60b1c13740e3b5a43024	[log] [tgz]
author	Tatu Saloranta <tatu.saloranta@iki.fi>	Tue May 14 07:42:10 2019 -0700
committer	Tatu Saloranta <tatu.saloranta@iki.fi>	Tue May 14 07:42:10 2019 -0700
tree	ee96c7959ee1cbc617afec01b1235b342a6faf76
parent	8bb7c9abca9a2e298a2436cb995ba1721e49de5c [diff]