From: Markus Koschany <apo@debian.org>
Date: Sat, 5 Oct 2019 19:15:03 +0200
Subject: polymorphic typing issues

This is the fix for CVE-2019-12384, CVE-2019-12814, CVE-2019-14379,
CVE-2019-14439, CVE-2019-14540, CVE-2019-16335, CVE-2019-16942, CVE-2019-16943
---
 .../databind/deser/BeanDeserializerFactory.java    | 33 ++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
index c22653a..77d426c 100644
--- a/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
+++ b/src/main/java/com/fasterxml/jackson/databind/deser/BeanDeserializerFactory.java
@@ -103,6 +103,39 @@ public class BeanDeserializerFactory
         // [databind#2326] (2.9.9): one more 3rd party gadget
         s.add("com.mysql.cj.jdbc.admin.MiniAdmin");
 
+        // [databind#2334]: logback-core
+        s.add("ch.qos.logback.core.db.DriverManagerConnectionSource");
+
+        // [databind#2341]: jdom/jdom2
+        s.add("org.jdom.transform.XSLTransformer");
+        s.add("org.jdom2.transform.XSLTransformer");
+
+        // [databind#2387]: EHCache
+        s.add("net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup");
+
+        // [databind#2389]: logback/jndi
+        s.add("ch.qos.logback.core.db.JNDIConnectionSource");
+
+        // [databind#2410]: HikariCP/metricRegistry config
+        s.add("com.zaxxer.hikari.HikariConfig");
+
+        // [databind#2449]: and sub-class thereof
+        s.add("com.zaxxer.hikari.HikariDataSource");
+
+        // [databind#2420]: CXF/JAX-RS provider/XSLT
+        s.add("org.apache.cxf.jaxrs.provider.XSLTJaxbProvider");
+
+        // [databind#2462]: commons-configuration / -2
+        s.add("org.apache.commons.configuration.JNDIConfiguration");
+        s.add("org.apache.commons.configuration2.JNDIConfiguration");
+
+        // [databind#2469]: xalan2
+        s.add("org.apache.xalan.lib.sql.JNDIConnectionPool");
+
+        // [databind#2478]: comons-dbcp, p6spy
+        s.add("org.apache.commons.dbcp.datasources.SharedPoolDataSource");
+        s.add("com.p6spy.engine.spy.P6DataSource");
+
         DEFAULT_NO_DESER_CLASS_NAMES = Collections.unmodifiableSet(s);
     }