Permalink
Browse files

Fix #2097 for 2.6.7.2

  • Loading branch information...
cowtowncoder committed Aug 16, 2018
1 parent a054585 commit 87d29af25e82a249ea15858e2d4ecbf64091db44
@@ -5,7 +5,10 @@ Project: jackson-databind
------------------------------------------------------------------------

2.6.7.2 (not yet released)

#1737: Block more JDK types from polymorphic deserialization
#2097: Block more classes from polymorphic deserialization (CVE-2018-14718
- CVE-2018-14721)

2.6.7.1 (11-Jul-2017)

@@ -68,6 +68,12 @@
s.add("com.mchange.v2.c3p0.JndiRefForwardingDataSource");
s.add("com.mchange.v2.c3p0.WrapperConnectionPoolDataSource");

// [databind#2097]: some 3rd party, one JDK-bundled
s.add("org.slf4j.ext.EventData");
s.add("flex.messaging.util.concurrent.AsynchBeansWorkManagerExecutor");
s.add("com.sun.deploy.security.ruleset.DRSHelper");
s.add("org.apache.axis2.jaxws.spi.handler.HandlerResolverImpl");

DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
}

0 comments on commit 87d29af

Please sign in to comment.