Block two more gadget types (ibatis-sqlmap, anteros-core; CVE-2020-9547 / CVE-2020-9548)

[cowtowncoder]

Another 2 gadget type reported regarding a classes of ibatis-sqlmap and Anteros-Core packages.
See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.

Mitre id: CVE-2020-9547, CVE-2020-9548
Reporters: threedr3am & V1ZkRA

Fix will be included in:

• 2.9.10.4
• 2.8.11.6 (jackson-bom version 2.8.11.20200310)
• 2.7.9.7
• Does not affect 2.10.0 and later

[carnil]

CVE-2020-9547 and CVE-2020-9548 has been assigned according to the MITRE CVE feed.

[cowtowncoder]

@carnil Thank you. For some reason I did not yet get email notification, but these seem legit ids from sequence so I'll use these and double-check when I get confirmation.

[cowtowncoder]

@Arashiailing please do not add unrelated comments on issues. For help, use mailing lists:

https://groups.google.com/forum/#!forum/jackson-user

or Gitter chat:

https://gitter.im/FasterXML/jackson-databind

[pioto]

Is there a scheduled release date for 2.9.10.4?

I'm impacted by this issue, but the milestone doesn't seem to have any release date set yet.

[cowtowncoder]

@pioto As OSS projects usually go, when it is ready. Unfortunately there has been steady stream of individual classes to block, and since I do not want to spend time releasing micro-patches every week I have tried to wait for couple of days to have a break. So far there are 12 issues resolved, and none open (although waiting for CVE ids for 2).
But I think I will release 2.9.10.4 by next weekend, regardless.

[liuyan707124617]

So, hasn't 2.9.10.4 been released yet?