Skip to content

[close #567] upgrade jackson-databind to 2.13.2.2 to fix CVE-2020-36518 #584

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
zz-jason merged 2 commits into from
Apr 7, 2022
Merged

[close #567] upgrade jackson-databind to 2.13.2.2 to fix CVE-2020-36518 #584

zz-jason merged 2 commits into from
Apr 7, 2022

Conversation

@iosmanthus
Copy link
Member

@iosmanthus iosmanthus commented Apr 7, 2022

Signed-off-by: iosmanthus myosmanthustree@gmail.com

What problem does this PR solve?

Issue Number: close #567

Problem Description:

upgrade jackson-databind to 2.13.2.2 to fix CVE-2020-36518

What is changed and how does it work?

Related changes

  • Need to cherry-pick the release branch
  • Need to update the documentation
  • Need to be included in the release note
  • NO related changes

@iosmanthus
fix CVE-2020-36518
703bafd 
Signed-off-by: iosmanthus <myosmanthustree@gmail.com>
zz-jason
zz-jason approved these changes Apr 7, 2022
View reviewed changes
Copy link
Member

@zz-jason zz-jason left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@codecov
Copy link

codecov bot commented Apr 7, 2022
edited
Loading

Codecov Report

Merging #584 (2d8385c) into master (56d64ef) will decrease coverage by 0.21%.
The diff coverage is n/a.

@@             Coverage Diff              @@
##             master     #584      +/-   ##
============================================
- Coverage     34.08%   33.87%   -0.22%     
+ Complexity     1360     1359       -1     
============================================
  Files           270      270              
  Lines         17131    17131              
  Branches       1950     1950              
============================================
- Hits           5839     5803      -36     
- Misses        10680    10716      +36     
  Partials        612      612
Impacted Files Coverage Δ
...rc/main/java/io/grpc/netty/NettyClientHandler.java 57.54% <0.00%> (-5.82%) ⬇️
src/main/java/io/grpc/stub/ClientCalls.java 48.51% <0.00%> (-1.99%) ⬇️
...va/org/tikv/common/region/StoreHealthyChecker.java 73.07% <0.00%> (-1.29%) ⬇️
...ty/handler/codec/http2/Http2ConnectionHandler.java 51.58% <0.00%> (-0.49%) ⬇️
src/main/java/org/tikv/common/PDClient.java 59.47% <0.00%> (-0.48%) ⬇️
src/main/java/org/tikv/common/TiSession.java 70.95% <0.00%> (-0.48%) ⬇️
src/main/java/io/grpc/netty/WriteQueue.java 76.69% <0.00%> (+2.25%) ⬆️
...g/tikv/common/operation/iterator/ScanIterator.java 76.31% <0.00%> (+2.63%) ⬆️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 56d64ef...2d8385c. Read the comment docs.

@zz-jason zz-jason enabled auto-merge (squash) April 7, 2022 09:00
marsishandsome
marsishandsome approved these changes Apr 7, 2022
View reviewed changes
Copy link
Collaborator

@marsishandsome marsishandsome left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@zz-jason zz-jason merged commit 7fa24c3 into tikv:master Apr 7, 2022
ti-srebot pushed a commit to ti-srebot/client-java that referenced this pull request Apr 7, 2022
@iosmanthus @ti-srebot
cherry pick tikv#584 to release-3.1
ae81d8d 
Signed-off-by: ti-srebot <ti-srebot@pingcap.com>
@ti-srebot ti-srebot mentioned this pull request Apr 7, 2022
Merged
@ti-srebot
Copy link
Collaborator

ti-srebot commented Apr 7, 2022

cherry pick to release-3.1 in PR #585

ti-srebot pushed a commit to ti-srebot/client-java that referenced this pull request Apr 7, 2022
@iosmanthus @ti-srebot
cherry pick tikv#584 to release-3.2
cd26c3c 
Signed-off-by: ti-srebot <ti-srebot@pingcap.com>
@ti-srebot ti-srebot mentioned this pull request Apr 7, 2022
Merged
@ti-srebot
Copy link
Collaborator

ti-srebot commented Apr 7, 2022

cherry pick to release-3.2 in PR #586

zz-jason pushed a commit that referenced this pull request Apr 7, 2022
@ti-srebot @iosmanthus
[close #567] upgrade jackson-databind to 2.13.2.2 to fix CVE-2020-36518
d0a3218 
… (#584) (#585)

Co-authored-by: iosmanthus <dengliming@pingcap.com>
Co-authored-by: iosmanthus <myosmanthustree@gmail.com>
zz-jason pushed a commit that referenced this pull request Apr 8, 2022
@ti-srebot @iosmanthus
[close #567] upgrade jackson-databind to 2.13.2.2 to fix CVE-2020-36518
058ba27 
… (#584) (#586)

Co-authored-by: iosmanthus <dengliming@pingcap.com>
iosmanthus added a commit that referenced this pull request Apr 8, 2022
@ti-srebot @iosmanthus
[close #567] upgrade jackson-databind to 2.13.2.2 to fix CVE-2020-36518
b54d6c0 
… (#584) (#585)

Co-authored-by: iosmanthus <dengliming@pingcap.com>
Co-authored-by: iosmanthus <myosmanthustree@gmail.com>
iosmanthus added a commit to iosmanthus/client-java that referenced this pull request May 30, 2022
@iosmanthus
[close tikv#567] upgrade jackson-databind to 2.13.2.2 to fix CVE-2020…
67ca6bf 
…-36518 (tikv#584)

Signed-off-by: iosmanthus <myosmanthustree@gmail.com>
sunxiaoguang pushed a commit that referenced this pull request May 30, 2022
@iosmanthus
[close #567] upgrade jackson-databind to 2.13.2.2 to fix CVE-2020-36518
fed0826 
… (#584) (#605)

Signed-off-by: iosmanthus <myosmanthustree@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marsishandsome marsishandsome marsishandsome approved these changes

@ti-srebot ti-srebot ti-srebot approved these changes

+1 more reviewer

@zz-jason zz-jason zz-jason approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

status/LGT2

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

update jackson-databind to fix CVE-2020-36518

4 participants

@iosmanthus @ti-srebot @zz-jason @marsishandsome