Jackson-databind 2.9.10.4 micro-patch (via jackson-bom 2.9.10.20200411) released -- 14 CVEs

[Tatu Saloranta]

After collecting CVE reports for polymorphic deserialization for a
while (about 1-2 per week), I finally decided to cut one more,
possibly final, micro-patch of `jackson-databind` 2.9. Release should
be available via Maven Central about now.

Once 2.11.0 is released, 2.9 branch will be closed for good and no
more patches will be accepted (earlier branches are already closed),
so now would be a good time to start preparing for upgrade to 2.10 (or
2.11).

Micro-patch can be referred directly via jackson-databind version
2.9.10.4, or, preferably by using `jackson-bom` version
2.9.10.20200411 which has compatible set of latest Jackson 2.9.x
components (most are 2.9.10, databind and kotlin have micro-patches).

Full set of issues fixed can be found from:

https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9

but essentially it is all about Polymorphic Deserialization class
reject list, as per:

https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

-+ Tatu +-