Block two more gadget types (commons-dbcp, p6spy, CVE-2019-16942 / CVE-2019-16943)

[bsmali4]

Another 2 gadget (*) types reported regarding classes of commons-dbcp and p6spy packages.
See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.

Mitre id: CVE-2019-16942 (commons-dbcp)
Mitre id: CVE-2019-16943 (p6spy)
Reporter: b5mali4

Fixed in:

• 2.9.10.1 (use jackson-bom version 2.9.10.20191020)
• 2.6.7.3
• 2.8.11.5
• does not affect 2.10.0 and later

[cowtowncoder]

Email received (read that before seeing this issue).
Will change descriptions slightly.

[melloware]

@cowtowncoder I think you have the Milstone of 2.9.10 wrong on this ticket as it was fixed after 2.9.10. Wouldn't it be 2.9.10.1 ?

[cowtowncoder]

@melloware Yes, you are right. Will fix the milestone, for some reason set it incorrectly (possibly due to auto-completion).