Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[CVE-2020-36518] Update jackson-databind to 2.13.2.2 #2599

Merged
merged 1 commit into from Mar 29, 2022

Conversation

reta
Copy link
Collaborator

@reta reta commented Mar 25, 2022

Signed-off-by: Andriy Redko andriy.redko@aiven.io

Description

Update jackson-databind to 2.13.2.2
Blocked by FasterXML/jackson-databind#3428

Issues Resolved

Closes #2597

Check List

  • New functionality includes testing.
    • All tests pass
  • New functionality has been documented.
    • New functionality has javadoc added
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@opensearch-ci-bot
Copy link
Collaborator

❌   Gradle Check failure a8db80b11cf901f4332e6f62157d7696b49346ef
Log 3762

Reports 3762

@reta reta changed the title [CVE-2020-36518] Update jackson-databind to 2.13.2.1 [CVE-2020-36518] Update jackson-databind to 2.13.2.2 Mar 29, 2022
@reta reta marked this pull request as ready for review March 29, 2022 13:48
@reta reta requested a review from a team as a code owner March 29, 2022 13:48
@opensearch-ci-bot
Copy link
Collaborator

❌   Gradle Check failure 541f4f90a1b1d2d0e5cb85051cd300eb36818e92
Log 3848

Reports 3848

Signed-off-by: Andriy Redko <andriy.redko@aiven.io>
@reta
Copy link
Collaborator Author

reta commented Mar 29, 2022

@dblock @andrross addressing CVE for Jackson, please take a look :) thanks!

@opensearch-ci-bot
Copy link
Collaborator

✅   Gradle Check success 4059045
Log 3850

Reports 3850

@dblock dblock added the backport 2.x Backport to 2.x branch label Mar 29, 2022
@dblock dblock merged commit d8a1ba6 into opensearch-project:main Mar 29, 2022
@dblock dblock added the backport 2.0 Backport to 2.0 branch label Mar 29, 2022
@opensearch-trigger-bot
Copy link
Contributor

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.x 2.x
# Navigate to the new working tree
cd .worktrees/backport-2.x
# Create a new branch
git switch --create backport/backport-2599-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 d8a1ba691204976e1b0e4ffc8e62b08a22e63692
# Push it to GitHub
git push --set-upstream origin backport/backport-2599-to-2.x
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-2599-to-2.x.

opensearch-trigger-bot bot pushed a commit that referenced this pull request Mar 29, 2022
Signed-off-by: Andriy Redko <andriy.redko@aiven.io>
(cherry picked from commit d8a1ba6)
kartg pushed a commit that referenced this pull request Mar 29, 2022
Signed-off-by: Andriy Redko <andriy.redko@aiven.io>
(cherry picked from commit d8a1ba6)

Co-authored-by: Andriy Redko <andriy.redko@aiven.io>
@dblock dblock added backport 1.x backport 1.3 Backport to 1.3 branch and removed backport 2.x Backport to 2.x branch labels Apr 1, 2022
@opensearch-trigger-bot
Copy link
Contributor

The backport to 1.3 failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-1.3 1.3
# Navigate to the new working tree
cd .worktrees/backport-1.3
# Create a new branch
git switch --create backport/backport-2599-to-1.3
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 d8a1ba691204976e1b0e4ffc8e62b08a22e63692
# Push it to GitHub
git push --set-upstream origin backport/backport-2599-to-1.3
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-1.3

Then, create a pull request where the base branch is 1.3 and the compare/head branch is backport/backport-2599-to-1.3.

@opensearch-trigger-bot
Copy link
Contributor

The backport to 1.x failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-1.x 1.x
# Navigate to the new working tree
cd .worktrees/backport-1.x
# Create a new branch
git switch --create backport/backport-2599-to-1.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 d8a1ba691204976e1b0e4ffc8e62b08a22e63692
# Push it to GitHub
git push --set-upstream origin backport/backport-2599-to-1.x
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-1.x

Then, create a pull request where the base branch is 1.x and the compare/head branch is backport/backport-2599-to-1.x.

@heatherdoone
Copy link

We upgraded to 2.13.2.2 and we are still seeing the StackOverflowError reported here: #2597

@reta
Copy link
Collaborator Author

reta commented Apr 1, 2022

We upgraded to 2.13.2.2 and we are still seeing the StackOverflowError reported here: #2597

thanks @heatherdoone , do you see it with OpenSearch or just confirming the bug is not fixed actually?

@heatherdoone
Copy link

I thought 2.13.2.2 already had the fix for the StackOverFlowError. Looks like it is getting merged soon? Or is the fix there now and we just need to pull it again?

@reta
Copy link
Collaborator Author

reta commented Apr 1, 2022

@heatherdoone according to FasterXML/jackson-databind#2816, it is fixed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport 1.x backport 1.3 Backport to 1.3 branch backport 2.0 Backport to 2.0 branch
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[CVE-2020-36518] Update jackson-databind to 2.13.2.1
4 participants