Skip to content

Commit

Permalink
Block one more gadget type (logback, CVE-2019-14439)
Browse files Browse the repository at this point in the history 
Merged from FasterXML/jackson-databind#2389
  • Loading branch information
@ablekhman
ablekhman committed Oct 22, 2019
1 parent 7a6d5d3 commit 5c017a5
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 0 deletions.
2 changes: 2 additions & 0 deletions release-notes/VERSION
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,8 @@ One more patch release for 1.9.
* [databind#2334]: Block class for CVE-2019-12384
* [databind#2341]: Block class for CVE-2019-12814
* [databind#2387]: Block yet another deserialization gadget (EHCache, CVE-2019-14379)
* [databind#2389]: Block yet another deserialization gadget (CVE-2019-14439)
(reported by xiexq)

1.9.13 (14-Jul-2013)

Expand Down
2 changes: 2 additions & 0 deletions src/mapper/java/org/codehaus/jackson/map/jsontype/impl/SubTypeValidator.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -85,6 +85,8 @@ public class SubTypeValidator
s.add("org.jdom2.transform.XSLTransformer");
// [databind#2387]: EHCache
s.add("net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup");
// [databind#2389]: logback/jndi
s.add("ch.qos.logback.core.db.JNDIConnectionSource");

DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
}
Expand Down

0 comments on commit 5c017a5

Please sign in to comment.