You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@avro.apache.org by GitBox <gi...@apache.org> on 2022/10/28 18:30:02 UTC

[GitHub] [avro] pavel-moskotin-db opened a new pull request, #1937: AVRO-3658: [java] bump jackson to address CVE-2020-36518

pavel-moskotin-db opened a new pull request, #1937:
URL: https://github.com/apache/avro/pull/1937

   bump jackson to address CVE-2020-36518
   
   <!--
   
   *Thank you very much for contributing to Apache Avro - we are happy that you want to help us improve Avro. To help the community review your contribution in the best possible way, please go through the checklist below, which will get the contribution into a shape in which it can be best reviewed.*
   
   *Please understand that we do not do this to make contributions to Avro a hassle. In order to uphold a high standard of quality for code contributions, while at the same time managing a large number of contributions, we need contributors to prepare the contributions well, and give reviewers enough contextual information for the review. Please also understand that contributions that do not follow this guide will take longer to review and thus typically be picked up with lower priority by the community.*
   
   ## Contribution Checklist
   
     - Make sure that the pull request corresponds to a [JIRA issue](https://issues.apache.org/jira/projects/AVRO/issues). Exceptions are made for typos in JavaDoc or documentation files, which need no JIRA issue.
     
     - Name the pull request in the form "AVRO-XXXX: [component] Title of the pull request", where *AVRO-XXXX* should be replaced by the actual issue number. 
       The *component* is optional, but can help identify the correct reviewers faster: either the language ("java", "python") or subsystem such as "build" or "doc" are good candidates.  
   
     - Fill out the template below to describe the changes contributed by the pull request. That will give reviewers the context they need to do the review.
     
     - Make sure that the change passes the automated tests. You can [build the entire project](https://github.com/apache/avro/blob/master/BUILD.md) or just the [language-specific SDK](https://avro.apache.org/project/how-to-contribute/#unit-tests).
   
     - Each pull request should address only one issue, not mix up code from multiple issues.
     
     - Each commit in the pull request has a meaningful commit message (including the JIRA id)
   
     - Every commit message references Jira issues in their subject lines. In addition, commits follow the guidelines from [How to write a good git commit message](https://chris.beams.io/posts/git-commit/)
       1. Subject is separated from body by a blank line
       1. Subject is limited to 50 characters (not including Jira issue reference)
       1. Subject does not end with a period
       1. Subject uses the imperative mood ("add", not "adding")
       1. Body wraps at 72 characters
       1. Body explains "what" and "why", not "how"
   
   -->
   
   ## What is the purpose of the change
   
   *(For example: This pull request improves file read performance by buffering data, fixing AVRO-XXXX.)*
   
   
   ## Verifying this change
   
   *(Please pick one of the following options)*
   
   This change is a trivial rework / code cleanup without any test coverage.
   
   *(or)*
   
   This change is already covered by existing tests, such as *(please describe tests)*.
   
   *(or)*
   
   This change added tests and can be verified as follows:
   
   *(example:)*
   - *Extended interop tests to verify consistent valid schema names between SDKs*
   - *Added test that validates that Java throws an AvroRuntimeException on invalid binary data*
   - *Manually verified the change by building the website and checking the new redirect*
   
   
   ## Documentation
   
   - Does this pull request introduce a new feature? (yes / no)
   - If yes, how is the feature documented? (not applicable / docs / JavaDocs / not documented)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@avro.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [avro] martin-g closed pull request #1937: AVRO-3658: [java] bump jackson to address CVE-2020-36518

Posted by GitBox <gi...@apache.org>.
martin-g closed pull request #1937: AVRO-3658: [java] bump jackson to address CVE-2020-36518
URL: https://github.com/apache/avro/pull/1937


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@avro.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [avro] iemejia commented on pull request #1937: AVRO-3658: [java] bump jackson to address CVE-2020-36518

Posted by GitBox <gi...@apache.org>.
iemejia commented on PR #1937:
URL: https://github.com/apache/avro/pull/1937#issuecomment-1304855116

   Shall we better jump directly to 2.14.0?
   https://github.com/apache/avro/pull/1944


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@avro.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [avro] pavel-moskotin-db commented on pull request #1937: AVRO-3658: [java] bump jackson to address CVE-2020-36518

Posted by GitBox <gi...@apache.org>.
pavel-moskotin-db commented on PR #1937:
URL: https://github.com/apache/avro/pull/1937#issuecomment-1305325217

   @iemejia @martin-g 
   fully agree - can proceed with fresh PR from dependabot 
   https://github.com/apache/avro/pull/1944


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@avro.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [avro] iemejia commented on pull request #1937: AVRO-3658: [java] bump jackson to address CVE-2020-36518

Posted by GitBox <gi...@apache.org>.
iemejia commented on PR #1937:
URL: https://github.com/apache/avro/pull/1937#issuecomment-1310641539

   @martin-g I was just waiting for Pavel's to rebase to give him credit for the report, but I understand also the quick merge since this was a security issue. Thanks 👍 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@avro.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [avro] martin-g commented on pull request #1937: AVRO-3658: [java] bump jackson to address CVE-2020-36518

Posted by GitBox <gi...@apache.org>.
martin-g commented on PR #1937:
URL: https://github.com/apache/avro/pull/1937#issuecomment-1305455428

   @iemejia As a project maintainer you can edit PR's title/description/commit messages/...


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@avro.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [avro] martin-g commented on pull request #1937: AVRO-3658: [java] bump jackson to address CVE-2020-36518

Posted by GitBox <gi...@apache.org>.
martin-g commented on PR #1937:
URL: https://github.com/apache/avro/pull/1937#issuecomment-1300314455

   According to https://github.com/advisories/GHSA-57j2-w4cx-62h2 the affected versions are:
   ```
   >= 2.13.0, <= 2.13.2.0
   <= 2.12.6.0
   ```
   
   so, 2.12.7 (the one used by Avro) is not affected!
   
   Jackson does some major breaks in minor versions! Jumping from 2.12.x to 2.13.x may lead to problems to Avro users.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@avro.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [avro] iemejia commented on pull request #1937: AVRO-3658: [java] bump jackson to address CVE-2020-36518

Posted by GitBox <gi...@apache.org>.
iemejia commented on PR #1937:
URL: https://github.com/apache/avro/pull/1937#issuecomment-1305439272

   @pavel-moskotin-db please rebase yours and we will merge it. I prefer it because it has the JIRA issue attached too.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@avro.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [avro] martin-g commented on pull request #1937: AVRO-3658: [java] bump jackson to address CVE-2020-36518

Posted by GitBox <gi...@apache.org>.
martin-g commented on PR #1937:
URL: https://github.com/apache/avro/pull/1937#issuecomment-1304877267

   > Shall we better jump directly to 2.14.0?
   
   I think this should be OK!
   A downstreap application can downgrade Jackson if needed. According to the test coverage Avro should work 2.13/2.14. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@avro.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [avro] martin-g commented on pull request #1937: AVRO-3658: [java] bump jackson to address CVE-2020-36518

Posted by GitBox <gi...@apache.org>.
martin-g commented on PR #1937:
URL: https://github.com/apache/avro/pull/1937#issuecomment-1307102244

   Jackson has been upgraded to 2.14.0 with https://github.com/apache/avro/pull/1944 for Avro 1.12.0.
   1.11.2 will use Jackson 2.12.7+


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@avro.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [avro] RyanSkraba commented on pull request #1937: AVRO-3658: [java] bump jackson to address CVE-2020-36518

Posted by GitBox <gi...@apache.org>.
RyanSkraba commented on PR #1937:
URL: https://github.com/apache/avro/pull/1937#issuecomment-1304768648

   OK, this looks like it would be a candidate for a 1.12.0 release!


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@avro.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org