Add ref from #2589 to CVE-2020-25649 in release notes for 2.11.0

FasterXML · Oct 13, 2020 · e588f0a · e588f0a
1 parent 8b75ed4
commit e588f0a
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/release-notes/VERSION-2.x b/release-notes/VERSION-2.x
@@ -96,7 +96,7 @@ Project: jackson-databind
 #2587: Add `MapperFeature.BLOCK_UNSAFE_POLYMORPHIC_BASE_TYPES` to allow blocking
   use of unsafe base type for polymorphic deserialization
 #2589: `DOMDeserializer`: setExpandEntityReferences(false) may not prevent
-  external entity expansion in all cases
+  external entity expansion in all cases [CVE-2020-25649]
  (reported by Bartosz B)
 #2592: `ObjectMapper.setSerializationInclusion()` is ignored for `JsonAnyGetter`
  (reported by Oleksii K)