Block one more gadget type (com.pastdev.httpcomponents, CVE-2020-24750)

[cowtowncoder]

Another gadget type(s) reported regarding class(es) of com.pastdev.httpcomponents:configuration. library.
See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.

Mitre id: CVE-2020-24750
Reporter(s): Al1ex@knownsec

Fix is included in:

• 2.9.10.6 (usable via jackson-bom version 2.9.10.20200824)
• 2.6.7.5
• Not considered valid CVE for Jackson 2.10.0 and later (see https://medium.com/@cowtowncoder/jackson-2-10-safe-default-typing-2d018f0ce2ba)

[cowtowncoder]

Planning to release 2.9.10.6 around August 15 or so, depending on whether other block-list changes are reported (none pending as of now).

[cowtowncoder]

2.9.10.6 released, usable via jackson-bom version 2.9.10.20200824