Update Jackson Databind to 2.13.4.2 (addressing CVE-2022-42003)

[reta]

Description

See please GHSA-jjjh-jjxp-wpff (FasterXML/jackson-databind#3621)

Issues Resolved

N/A

Check List

• New functionality includes testing.
  • All tests pass
• New functionality has been documented.
  • New functionality has javadoc added
• Commits are signed per the DCO using --signoff
• Commit changes are listed out in CHANGELOG.md file (See: Changelog)

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

[owaiskazi19]

@reta do we need to update the jackson dependencies for plugins as well?

[reta]

@reta do we need to update the jackson dependencies for plugins as well?

@owaiskazi19 Sadly yes, if they use own Jackson Databind versions, I will take care of opensearch-java: https://github.com/opensearch-project/opensearch-java/blob/94eb0071d531050b6e96980551a8ea9938308030/java-client/build.gradle.kts#L136

[github-actions]

Gradle Check (Jenkins) Run Completed with:

• RESULT: FAILURE ❌
• URL: https://build.ci.opensearch.org/job/gradle-check/4615/
• CommitID: 4ac4fd2

[github-actions]

Gradle Check (Jenkins) Run Completed with:

• RESULT: FAILURE ❌
• URL: https://build.ci.opensearch.org/job/gradle-check/4616/
• CommitID: f7bc320

[github-actions]

Gradle Check (Jenkins) Run Completed with:

• RESULT: SUCCESS ✅
• URL: https://build.ci.opensearch.org/job/gradle-check/4617/
• CommitID: f7bc320

[mch2]

Is this version in central? I'm only seeing 2.13.4.1 - https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind. From what you linked it looks like that version still solves the CVE?

[reta]

Is this version in central? i'm only seeing 2.13.4.1.

It was released few hours ago :-) Should be in repo otherwise builds would fail

[reta]

Is this version in central? I'm only seeing 2.13.4.1 - https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind. From what you linked it looks like that version still solves the CVE?

See please: https://github.com/FasterXML/jackson-databind/releases/tag/jackson-databind-2.13.4.2
The 2.13.4.1 was unusable by Gradle because of: FasterXML/jackson-databind#3627

[opensearch-trigger-bot]

The backport to 1.x failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-1.x 1.x
# Navigate to the new working tree
cd .worktrees/backport-1.x
# Create a new branch
git switch --create backport/backport-4779-to-1.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 12f26d3d10c413aae6b1abffbe384169fcaea0f7
# Push it to GitHub
git push --set-upstream origin backport/backport-4779-to-1.x
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-1.x

Then, create a pull request where the base branch is 1.x and the compare/head branch is backport/backport-4779-to-1.x.

[opensearch-trigger-bot]

The backport to 2.x failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.x 2.x
# Navigate to the new working tree
cd .worktrees/backport-2.x
# Create a new branch
git switch --create backport/backport-4779-to-2.x
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 12f26d3d10c413aae6b1abffbe384169fcaea0f7
# Push it to GitHub
git push --set-upstream origin backport/backport-4779-to-2.x
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.x

Then, create a pull request where the base branch is 2.x and the compare/head branch is backport/backport-4779-to-2.x.

[opensearch-trigger-bot]

The backport to 2.0 failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.0 2.0
# Navigate to the new working tree
cd .worktrees/backport-2.0
# Create a new branch
git switch --create backport/backport-4779-to-2.0
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 12f26d3d10c413aae6b1abffbe384169fcaea0f7
# Push it to GitHub
git push --set-upstream origin backport/backport-4779-to-2.0
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.0

Then, create a pull request where the base branch is 2.0 and the compare/head branch is backport/backport-4779-to-2.0.

[opensearch-trigger-bot]

The backport to 1.3 failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-1.3 1.3
# Navigate to the new working tree
cd .worktrees/backport-1.3
# Create a new branch
git switch --create backport/backport-4779-to-1.3
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 12f26d3d10c413aae6b1abffbe384169fcaea0f7
# Push it to GitHub
git push --set-upstream origin backport/backport-4779-to-1.3
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-1.3

Then, create a pull request where the base branch is 1.3 and the compare/head branch is backport/backport-4779-to-1.3.

[opensearch-trigger-bot]

The backport to 2.1 failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.1 2.1
# Navigate to the new working tree
cd .worktrees/backport-2.1
# Create a new branch
git switch --create backport/backport-4779-to-2.1
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 12f26d3d10c413aae6b1abffbe384169fcaea0f7
# Push it to GitHub
git push --set-upstream origin backport/backport-4779-to-2.1
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.1

Then, create a pull request where the base branch is 2.1 and the compare/head branch is backport/backport-4779-to-2.1.

[opensearch-trigger-bot]

The backport to 2.2 failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.2 2.2
# Navigate to the new working tree
cd .worktrees/backport-2.2
# Create a new branch
git switch --create backport/backport-4779-to-2.2
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 12f26d3d10c413aae6b1abffbe384169fcaea0f7
# Push it to GitHub
git push --set-upstream origin backport/backport-4779-to-2.2
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.2

Then, create a pull request where the base branch is 2.2 and the compare/head branch is backport/backport-4779-to-2.2.

[opensearch-trigger-bot]

The backport to 2.3 failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-2.3 2.3
# Navigate to the new working tree
cd .worktrees/backport-2.3
# Create a new branch
git switch --create backport/backport-4779-to-2.3
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 12f26d3d10c413aae6b1abffbe384169fcaea0f7
# Push it to GitHub
git push --set-upstream origin backport/backport-4779-to-2.3
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-2.3

Then, create a pull request where the base branch is 2.3 and the compare/head branch is backport/backport-4779-to-2.3.

[reta]

Ah ... obvously backports are failing, @saratvemulapalli @kotwanikunal I will address backports on Monday if you are OK with that guys, have to leave shorlty for a few days.

[kotwanikunal]

Ah ... obvously backports are failing, @saratvemulapalli @kotwanikunal I will address backports on Monday if you are OK with that guys, have to leave shorlty for a few days.

I can pick a few. Let me help out with 1.x, 2.x, 2.3 to begin with.

[kotwanikunal]

1.x: #4782
2.x: #4781

[kotwanikunal]

@mch2 stepping in 🙂

[mch2]

2.3: #4784 - merged this already.
1.3: #4785

[reta]

@kotwanikunal @mch2 thanks a mill guys for taking care of backports, really appreciate it 🙇