Headline
CVE-2020-9548: Block two more gadget types (ibatis-sqlmap, anteros-core; CVE-2020-9547 / CVE-2020-9548) · Issue #2634 · FasterXML/jackson-databind
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).
@pioto As OSS projects usually go, when it is ready. Unfortunately there has been steady stream of individual classes to block, and since I do not want to spend time releasing micro-patches every week I have tried to wait for couple of days to have a break. So far there are 12 issues resolved, and none open (although waiting for CVE ids for 2).
But I think I will release 2.9.10.4 by next weekend, regardless.