Block one more gadget type (apache-log4j-extras/1.2, CVE-2019-17531)

[cowtowncoder]

Another gadget type reported regarding a class of apache-log4j-extras package.
See https://medium.com/@cowtowncoder/on-jackson-cves-dont-panic-here-is-what-you-need-to-know-54cd0d6e8062 for description of the general problem.

Mitre id: CVE-2019-17531
Reporter: 张先辉 Zhangxianhui

Fix will be included in:

• 2.9.10.1
• 2.8.11.5
• 2.6.7.3
• does not affect 2.10.0 and later

[cowtowncoder]

Fixed: off to file for CVE ID.

Also need to consider timing of 2.9.10 now; we have two separate issues.