Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update to most recent verson of jackson-databind #1679

Merged
merged 1 commit into from
Mar 15, 2022
Merged

Update to most recent verson of jackson-databind #1679

merged 1 commit into from
Mar 15, 2022

Conversation

peternied
Copy link
Member

Signed-off-by: Peter Nied [email protected]

Description

Fixes https://www.whitesourcesoftware.com/vulnerability-database/CVE-2020-36518

Check List

  • New functionality includes testing
  • New functionality has been documented
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@peternied peternied self-assigned this Mar 15, 2022
@peternied peternied requested a review from a team March 15, 2022 15:15
@peternied peternied mentioned this pull request Mar 15, 2022
Merged
3 tasks
@davidlago davidlago added the Mend: dependency security vulnerability Security vulnerability detected by WhiteSource label Mar 15, 2022
@codecov-commenter
Copy link

codecov-commenter commented Mar 15, 2022
edited
Loading

Codecov Report

Merging #1679 (a0fbe1e) into main (920701e) will not change coverage.
The diff coverage is n/a.

@@            Coverage Diff            @@
##               main    #1679   +/-   ##
=========================================
  Coverage     62.92%   62.92%           
  Complexity     3259     3259           
=========================================
  Files           253      253           
  Lines         18127    18127           
  Branches       3258     3258           
=========================================
  Hits          11406    11406           
  Misses         5072     5072           
  Partials       1649     1649

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 920701e...a0fbe1e. Read the comment docs.

@peternied peternied merged commit 9967fb1 into opensearch-project:main Mar 15, 2022
@peternied peternied deleted the jackson branch March 15, 2022 16:51
@cliu123 cliu123 added backport 1.x backport to 1.x branch backport 1.2 backport to 1.2 branch backport 1.3 backport to 1.3 branch labels Mar 22, 2022
opensearch-trigger-bot bot pushed a commit that referenced this pull request Mar 22, 2022
@peternied @github-actions
Update to most recent verson of jackson-databind (#1679)
601d8ef 
Signed-off-by: Peter Nied <[email protected]>
(cherry picked from commit 9967fb1)
@opensearch-trigger-bot opensearch-trigger-bot bot mentioned this pull request Mar 22, 2022
Merged
opensearch-trigger-bot bot pushed a commit that referenced this pull request Mar 22, 2022
@peternied @github-actions
Update to most recent verson of jackson-databind (#1679)
a62e521 
Signed-off-by: Peter Nied <[email protected]>
(cherry picked from commit 9967fb1)
@opensearch-trigger-bot opensearch-trigger-bot bot mentioned this pull request Mar 22, 2022
Merged
@cliu123 cliu123 added backport 1.1 backport to 1.1 branch backport 1.0 backport to 1.0 branch backport 1.2 backport to 1.2 branch and removed backport 1.1 backport to 1.1 branch backport 1.0 backport to 1.0 branch backport 1.2 backport to 1.2 branch labels Mar 22, 2022
@opensearch-trigger-bot
Copy link
Contributor

The backport to 1.0 failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-1.0 1.0
# Navigate to the new working tree
cd .worktrees/backport-1.0
# Create a new branch
git switch --create backport/backport-1679-to-1.0
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 9967fb1e889c2459bccafe01b187ef6ba8b7992d
# Push it to GitHub
git push --set-upstream origin backport/backport-1679-to-1.0
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-1.0

Then, create a pull request where the base branch is 1.0 and the compare/head branch is backport/backport-1679-to-1.0.

@opensearch-trigger-bot
Copy link
Contributor

The backport to 1.2 failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-1.2 1.2
# Navigate to the new working tree
cd .worktrees/backport-1.2
# Create a new branch
git switch --create backport/backport-1679-to-1.2
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 9967fb1e889c2459bccafe01b187ef6ba8b7992d
# Push it to GitHub
git push --set-upstream origin backport/backport-1679-to-1.2
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-1.2

Then, create a pull request where the base branch is 1.2 and the compare/head branch is backport/backport-1679-to-1.2.

@opensearch-trigger-bot
Copy link
Contributor

The backport to 1.1 failed:

The process '/usr/bin/git' failed with exit code 1

To backport manually, run these commands in your terminal:

# Fetch latest updates from GitHub
git fetch
# Create a new working tree
git worktree add .worktrees/backport-1.1 1.1
# Navigate to the new working tree
cd .worktrees/backport-1.1
# Create a new branch
git switch --create backport/backport-1679-to-1.1
# Cherry-pick the merged commit of this pull request and resolve the conflicts
git cherry-pick -x --mainline 1 9967fb1e889c2459bccafe01b187ef6ba8b7992d
# Push it to GitHub
git push --set-upstream origin backport/backport-1679-to-1.1
# Go back to the original working tree
cd ../..
# Delete the working tree
git worktree remove .worktrees/backport-1.1

Then, create a pull request where the base branch is 1.1 and the compare/head branch is backport/backport-1679-to-1.1.

@cliu123 cliu123 mentioned this pull request Mar 22, 2022
Closed
davidlago pushed a commit that referenced this pull request Mar 22, 2022
@opensearch-trigger-bot @peternied
Update to most recent verson of jackson-databind (#1679) (#1693)
260f540 
Signed-off-by: Peter Nied <[email protected]>
(cherry picked from commit 9967fb1)

Co-authored-by: Peter Nied <[email protected]>
davidlago pushed a commit that referenced this pull request Mar 22, 2022
@opensearch-trigger-bot @peternied
Update to most recent verson of jackson-databind (#1679) (#1694)
14d70ab 
Signed-off-by: Peter Nied <[email protected]>
(cherry picked from commit 9967fb1)

Co-authored-by: Peter Nied <[email protected]>
@peternied peternied mentioned this pull request Mar 22, 2022
Open
@peternied peternied removed backport 1.2 backport to 1.2 branch backport 1.3 backport to 1.3 branch backport 1.1 backport to 1.1 branch backport 1.0 backport to 1.0 branch labels Mar 22, 2022
@peternied
Copy link
Member Author

@cliu123 This change cannot be backported to 1.0, 1.1, 1.2, or 1.3 because OpenSearch already ships this binary and it would cause an issue when attempting to install the plugin

@cliu123
Copy link
Member

cliu123 commented Mar 22, 2022

@peternied oops! So we should revert this backport PR? #1693

@peternied
Copy link
Member Author

@cliu123 Yes we should

cliu123 added a commit to cliu123/security that referenced this pull request Mar 22, 2022
@cliu123
Revert "Update to most recent verson of jackson-databind (opensearch-…
f6f85bb 
…project#1679) (opensearch-project#1693)"

This reverts commit 260f540.

Signed-off-by: cliu123 <[email protected]>
@cliu123
Copy link
Member

cliu123 commented Mar 22, 2022

@peternied Good catch! Thanks for pointing this out! : ) I'll wait for a bit to confirm if this will be backported to all the old branches for the next potential patch versions. If not, I'll revert it from 1.3 branch.

@cliu123
Copy link
Member

cliu123 commented Mar 22, 2022

The decision hasn't been finalized yet. I'll revert this from 1.3 branch for now.

@cliu123
Copy link
Member

cliu123 commented Mar 22, 2022

Backporting from 1.3 branch: #1696

peternied pushed a commit that referenced this pull request Mar 22, 2022
@cliu123
Revert "Update to most recent verson of jackson-databind (#1679) (#1693
9d44ff4 
…)" (#1696)

This reverts commit 260f540.

Signed-off-by: cliu123 <[email protected]>
wuychn pushed a commit to ochprince/security that referenced this pull request Mar 16, 2023
@peternied
Update to most recent verson of jackson-databind (opensearch-project#…
b3ff6f2 
…1679)

Signed-off-by: Peter Nied <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@DarshitChanpura DarshitChanpura DarshitChanpura approved these changes

@davidlago davidlago davidlago approved these changes

Assignees

@peternied peternied

Labels
backport 1.x backport to 1.x branch Mend: dependency security vulnerability Security vulnerability detected by WhiteSource
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@peternied @codecov-commenter @cliu123 @davidlago @DarshitChanpura