Jackson 2.9.10.5 micro-patch (via jackson-bom 2.9.10.20200621) released -- 4 CVEs

[Tatu Saloranta]

Jackson-databind 2.9.10.4 micro-patch (via jackson-bom
2.9.10.20200411) released -- 4 CVEs -- was just released. See release
notes here:

https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9

At this point there may still be one more micro-patch coming if there
are CVE reports; however, plan is to fully close 2.9 branch by end of
September, 2020. Since there is already 2.11.0 available (and 2.10 and
2.11 both add features to fully block these attacks), there is little
point in adding blocks for ever more obscure 3rd party libraries.

So please consider migrating away from Jackson 2.9 and earlier
versions, especially if you do use polymorphic deserialization as
described on

https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062

(upgrade recommended in general, but from security perspective
problems only apply to certain types of polymorphic deserialization)

-+ Tatu +-