Fix #2334

cowtowncoder · cowtowncoder · commit c9ef4a10d6f6 · 2019-06-12T22:20:12.000-07:00
diff --git a/release-notes/VERSION b/release-notes/VERSION
@@ -8,6 +8,7 @@ Not yet released
 
 #2326: Block class for CVE-2019-12086
  (contributed by MaximilianTews@github)
+#2334: Block class for CVE-2019-12384
 
 2.7.9.5 (23-Nov-2018)
 
diff --git a/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java b/src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java
@@ -81,6 +81,9 @@ public class SubTypeValidator
         
         // [databind#2326] (2.7.9.6): one more 3rd party gadget
         s.add("com.mysql.cj.jdbc.admin.MiniAdmin");
+
+        // [databind#2334] (2.9.9.1): logback-core
+        s.add("ch.qos.logback.core.db.DriverManagerConnectionSource");
         
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }

Original file line number	Diff line number	Diff line change
`@@ -81,6 +81,9 @@ public class SubTypeValidator`
`81`	`81`
`82`	`82`	`// [databind#2326] (2.7.9.6): one more 3rd party gadget`
`83`	`83`	`s.add("com.mysql.cj.jdbc.admin.MiniAdmin");`
	`84`	`+`
	`85`	`+ // [databind#2334] (2.9.9.1): logback-core`
	`86`	`+ s.add("ch.qos.logback.core.db.DriverManagerConnectionSource");`
`84`	`87`
`85`	`88`	`DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);`
`86`	`89`	`}`