Block one more gadget type (logback, CVE-2019-12384)

[cowtowncoder]

A new gadget type (see https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062) was reported, and CVE id allocated was CVE-2019-12384.
CVE description is available at: https://nvd.nist.gov/vuln/detail/CVE-2019-12384 for full details, but the specific variation (in addition to needing "default typing", attacker being able to craft specific json message) is that:

• If service has jar logback-classic in its classpath

vulnerability applies.

---

Fixed in:

• 2.9.10
• 2.8.11.4
• 2.7.9.6
• 2.6.7.3

[hwwxj]

Excuse me, may I ask when will this issue be solved?

[cowtowncoder]

I hope to have to work on this (and perhaps the other CVE to file) later this week.

[cowtowncoder]

Fixed in 2.9 (for likely micro-patch 2.9.9.1), as well as backported in 2.8 and 2.7 (in case new versions might be released; or to make it easier for users to build from those branches).

[hwwxj]

ok, thank you very much. By the way, when will the patch 2.9.9.1 be released? we need this urgently.

[cowtowncoder]

I'll be going on vacation later today, back on July 1st, so at earliest in early July (but possibly mid-July, depending on if it'll be 2.9.10 or 2.9.9.1).

[cowtowncoder]

Release 2.9.9.1 in-progress.

[jebeaudet]

@cowtowncoder Are you planning on releasing a 2.9.9.1 for the jackson-bom artifact containing this jackson-databind release? Thanks