Block one more gadget type (shaded-hikari-config, CVE-2020-9546)

[cowtowncoder]

(note: placeholder until verified/validated, fix provided)

Another gadget type reported regarding a class of [TO BE ADDED].
See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.

Mitre id: CVE-2020-9546
Reporters: threedr3am & LFY

Fix will be included in:

• 2.9.10.4
• 2.8.11.6 (jackson-bom version 2.8.11.20200310)
• 2.7.9.7
• Does not affect 2.10.0 and later

[carnil]

CVE-2020-9546 seem to have been assigned.

[cowtowncoder]

@carnil thank you: yes, I did get a response that this is the cve id allocated.

[romansok]

(note: placeholder until verified/validated, fix provided)

Another gadget type reported regarding a class of [TO BE ADDED].
See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.

Mitre id: CVE-2020-9546
Reporters: threedr3am & LFY

Fix will be included in:

• 2.9.10.4
• Does not affect 2.10.0 and later

Hi @cowtowncoder ,

I am using jackson-databind 2.10 and I noticed that the fix was included in version 2.10.3,
but according to this report, 2.10.0 and later are not affected.

Can you please advise if any of 2.10.x are vulnerable following this issue?

[cowtowncoder]

@romansok 2.10.x (and later versions)) is not affected by this CVE, exactly as description says.

For convenience, block-list is still included (otherwise merging from earlier versions would always need manual resolution) and hence merged. Same is true all the way to master branch (3.0)