Skip to content

Bump Jackson to 2.12.6.20220326 (CVE-2020-36518)#12411

Closed
jihoonson wants to merge 3 commits intoapache:masterfrom
jihoonson:bump-jackson
Closed

Bump Jackson to 2.12.6.20220326 (CVE-2020-36518)#12411
jihoonson wants to merge 3 commits intoapache:masterfrom
jihoonson:bump-jackson

Conversation

@jihoonson
Copy link
Copy Markdown
Contributor

@jihoonson jihoonson commented Apr 7, 2022
edited
Loading

Description

Another attempt to address https://nvd.nist.gov/vuln/detail/CVE-2020-36518. This PR bumps Jackson to 2.12.6.20220326 which has the fix for the CVE (FasterXML/jackson-databind#2816). It seems not possible to upgrade Jackson to 2.13.2 with no change because of FasterXML/jackson-jaxrs-providers#134.

This PR has:

  • been self-reviewed.
  • added or updated version, license, or notice information in licenses.yaml

@jihoonson jihoonson changed the title Bump Jackson to 2.13.2 (CVE-2020-36518) Bump Jackson to 2.12.6.20220326 (CVE-2020-36518) Apr 7, 2022
@suneet-s suneet-s mentioned this pull request Apr 11, 2022
Closed
9 tasks
xvrl
xvrl reviewed Apr 12, 2022
View reviewed changes
Comment thread ...ons-contrib/kafka-emitter/src/test/java/org/apache/druid/emitter/kafka/KafkaEmitterTest.java
final KafkaEmitter kafkaEmitter = new KafkaEmitter(
new KafkaEmitterConfig("", "metrics", "alerts", requestTopic, "test-cluster", null),
new ObjectMapper()
new DefaultObjectMapper()
Copy link
Copy Markdown
Member

@xvrl xvrl Apr 12, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

any particular reason this change is required?

@xvrl
Copy link
Copy Markdown
Member

xvrl commented Apr 12, 2022

@jihoonson it looks like the changes you made to tests are due to FasterXML/jackson-databind#1852 Are there any other 2.11 or 2.12 behavior changes we might have to worry about?

FrankChen021
FrankChen021 reviewed Apr 12, 2022
View reviewed changes
Comment thread core/src/main/java/org/apache/druid/guice/GuiceAnnotationIntrospector.java
throw new IAE("Annotated methods don't work very well yet...");
}
return Key.get(m.getGenericType());
return Key.get(m.getRawType());
Copy link
Copy Markdown
Member

@FrankChen021 FrankChen021 Apr 12, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This change confuses me. The javadoc of getGenericType says that getType should be used to replace it. But according to the CI test result of #12373 , using of getType here seems that it does not work correctly.

@jihoonson jihoonson mentioned this pull request Apr 15, 2022
Merged
1 task
This was referenced May 19, 2022
Merged
Merged
@FrankChen021 FrankChen021 mentioned this pull request Oct 22, 2022
Closed
3 tasks
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Dec 13, 2023

This pull request has been marked as stale due to 60 days of inactivity.
It will be closed in 4 weeks if no further activity occurs. If you think
that's incorrect or this pull request should instead be reviewed, please simply
write any comment. Even if closed, you can still revive the PR at any time or
discuss it on the dev@druid.apache.org list.
Thank you for your contributions.

@github-actions github-actions Bot added the stale label Dec 13, 2023
@xvrl
Copy link
Copy Markdown
Member

xvrl commented Dec 15, 2023

closing since this was addressed as part of #14770

@xvrl xvrl closed this Dec 15, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xvrl xvrl xvrl left review comments

@FrankChen021 FrankChen021 FrankChen021 left review comments

Assignees

No one assigned

Labels

Area - Dependencies stale

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jihoonson @xvrl @FrankChen021