Merge branch '2.9' into 2.10

FasterXML · Jul 30, 2019 · 3b53639 · 3b53639
2 parents 236127c + fca7c57
commit 3b53639
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 1 deletion.
diff --git a/release-notes/CREDITS-2.x b/release-notes/CREDITS-2.x
@@ -504,6 +504,10 @@ Kevin Hogeland (khogeland@github)
   * Reported #1501: `ArrayIndexOutOfBoundsException` on non-static inner class constructor
    (2.7.9)
 
+xiexq ([email protected])
+  * Reported #2389: Block one more gadget type (CVE-2019-14361)
+   (2.7.9.6)
+
 Artur Jonkisz (ajonkisz@github)
   * Reported #960: `@JsonCreator` not working on a factory with no arguments for ae enum type
    (2.8.0)

diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x
@@ -71,6 +71,7 @@ Project: jackson-databind
 #2331: `JsonMappingException` through nested getter with generic wildcard return type
 #2387: Block yet another deserialization gadget (CVE-2019-14379)
 #2389: Block yet another deserialization gadget (CVE-2019-14361)
+ (reported by xiexq)
 
 2.9.9.1 (03-Jul-2019)
 
@@ -409,9 +410,17 @@ Project: jackson-databind
   `MapperFeature.ALLOW_COERCION_OF_SCALARS`
  (requested by magdel@github)
 
+2.8.11.4 (25-Jul-2019)
+
+#2334: Block one more gadget type (CVE-2019-12384)
+#2341: Block one more gadget type (CVE-2019-12814)
+#2387: Block one more gadget type (CVE-2019-14379)
+#2389: Block one more gadget type (CVE-2019-14361)
+ (reported by xiexq)
+
 2.8.11.3 (23-Nov-2018)
 
-#2326: Block class for CVE-2019-12086
+#2326: Block one more gadget type (CVE-2019-12086)
  (contributed by MaximilianTews@github)
 
 2.8.11.2 (08-Jun-2018)