Block more JDK types from polymorphic deserialization (CVE 2017-15095)

[cowtowncoder]

(note: follow-up for #1599)

After initial set of types blocked new reports have arrived for more black-listing.
Although eventual approach is likely to rely separate module (for more timely updates and wider version coverage), at this point addition in databind is needed.

I will update specific list of additions once complete and release is out. Target versions are 2.8.10 and 2.9.1 -- it is possible to backport in 2.7 and even 2.6, but there is diminishing return on effort with those versions so it will not happen unless specifically requested (I'm happy to merge PRs).

[tolbertam]

Target versions are 2.8.10 and 2.9.1 -- it is possible to backport in 2.7 and even 2.6

It would be really nice to have this for 2.7 as well since 2.8 requires JDK 7 and a library I maintain which depends on jackson-databind supports JDK 6 (for a little while longer). I created #1857 to apply ddfddfb on 2.7, it would be really great if that could be included in a future 2.7 release, thanks!

[cowtowncoder]

@tolbertam Thanks. I'll keep this in mind -- there are occasionally other updates in this area. There is some cost or us to maintain older versions, but 2.7 is probably ok for simple blacklist additions.
Thank you for your help with backport.