Block two more gadget types (ibatis-sqlmap, anteros-core; CVE-2020-9547 / CVE-2020-9548)

[cowtowncoder]

Another 2 gadget type reported regarding a classes of ibatis-sqlmap and Anteros-Core packages.
See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.

Mitre id: CVE-2020-9547, CVE-2020-9548
Reporters: threedr3am & V1ZkRA

Fix will be included in:

• 2.9.10.4
• 2.8.11.6 (jackson-bom version 2.8.11.20200310)
• 2.7.9.7
• Does not affect 2.10.0 and later

[carnil]

CVE-2020-9547 and CVE-2020-9548 has been assigned according to the MITRE CVE feed.

[cowtowncoder]

@carnil Thank you. For some reason I did not yet get email notification, but these seem legit ids from sequence so I'll use these and double-check when I get confirmation.

[Arashiailing]

Why am I mport com.fasterxml.jackson.databind.ObjectMapper the Idea tell me that cannot reselove it
I had written dependency in pox.xml


com.fasterxml.jackson.core
jackson-core
2.10.1


com.fasterxml.jackson.core
jackson-databind
2.9.10.3


com.fasterxml.jackson.core
jackson-annotations
2.10.1


what's wrong

[Arashiailing]

if I use lib from local instead of Maven，result would be different？

[cowtowncoder]

@Arashiailing please do not add unrelated comments on issues. For help, use mailing lists:

https://groups.google.com/forum/#!forum/jackson-user

or Gitter chat:

https://gitter.im/FasterXML/jackson-databind

[pioto]

Is there a scheduled release date for 2.9.10.4?

I'm impacted by this issue, but the milestone doesn't seem to have any release date set yet.