Block one more gadget type (javax.swing, CVE-2020-10969)

[cowtowncoder]

Another gadget type reported regarding a class in javax.swing package..
See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.

Mitre id: CVE-2020-10969
Reporters: threedr3am

Fix will be included in:

• 2.9.10.4
• 2.8.11.6 (jackson-bom version 2.8.11.20200310)
• 2.7.9.7
• Does not affect 2.10.0 and later

[cowtowncoder]

Issue fixed; CVE id request submitted.

[terryvdgriend]

@cowtowncoder Is there any indication when 2.9.10.4 is going to be released? Since the CVE is now being picked up by reporters.

[cowtowncoder]

@terryvdgriend In future please ask questions on mailing list (https://groups.google.com/forum/#!forum/jackson-user). Issue reports are getting spammed with this same question over and over.
2.9.10.4 will be out when it's ready, hopefully next weekend. But as long as new types to block keep on being submitted 1-2 per week it gets delayed. Right now there is apparently 1 more to be submitted.

[terryvdgriend]

Thanks for the clarification, sorry for the inconvenience!

[cowtowncoder]

@terryvdgriend np, I understand that there is a good reason to wish for a security patch ASAP. Just wish I had a better way of keeping everyone informed...