Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updating jackson-databind for CVE-2020-36518 #129

Merged
merged 2 commits into from
Mar 30, 2022
Merged

Updating jackson-databind for CVE-2020-36518 #129

merged 2 commits into from
Mar 30, 2022

Conversation

VachaShah
Copy link
Collaborator

Signed-off-by: Vacha Shah vachshah@amazon.com

Description

Updating jackson-databind to 2.12.6.1 for CVE-2020-36518.

Issues Resolved

#121

Check List

  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@VachaShah
Updating jackson-databind for CVE-2020-36518
5b9e4bb 
Signed-off-by: Vacha Shah <vachshah@amazon.com>
@VachaShah VachaShah requested review from a team and madhusudhankonda as code owners March 28, 2022 22:21
dblock
dblock previously approved these changes Mar 29, 2022
View reviewed changes
@VachaShah VachaShah mentioned this pull request Mar 29, 2022
Closed
1 task
@VachaShah VachaShah requested a review from CEHENKLE March 30, 2022 06:03
reta
reta previously approved these changes Mar 30, 2022
View reviewed changes
reta
reta reviewed Mar 30, 2022
View reviewed changes
java-client/build.gradle.kts Outdated
@@ -149,7 +149,7 @@ dependencies {
// Apache 2.0

implementation("com.fasterxml.jackson.core", "jackson-core", jacksonVersion)
implementation("com.fasterxml.jackson.core", "jackson-databind", jacksonVersion)
implementation("com.fasterxml.jackson.core", "jackson-databind", "2.12.6.1")
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be better to introduce jacksonDatabindVersion so we could change jacksonVersion & jacksonDatabindVersion in lockstep if needed

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That makes sense to me. @VachaShah , WDYT?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That sounds good! Added a commit to include jacksonDatabindVersion.

CEHENKLE
CEHENKLE previously approved these changes Mar 30, 2022
View reviewed changes
@VachaShah
Adding jacksonDatabindVersion variable
775f4fa 
Signed-off-by: Vacha Shah <vachshah@amazon.com>
@VachaShah VachaShah dismissed stale reviews from CEHENKLE, reta, and dblock via 775f4fa March 30, 2022 18:12
@VachaShah VachaShah requested review from CEHENKLE and dblock March 30, 2022 18:15
@VachaShah
Copy link
Collaborator Author

@reta I am not able to re-request a review from you

@dblock dblock requested a review from saratvemulapalli March 30, 2022 20:37
saratvemulapalli
saratvemulapalli approved these changes Mar 30, 2022
View reviewed changes
Copy link
Member

@saratvemulapalli saratvemulapalli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Food for thought, is there a way we can fetch the dependency version defined in OpenSearch and consume it here?

@VachaShah
Copy link
Collaborator Author

Food for thought, is there a way we can fetch the dependency version defined in OpenSearch and consume it here?

I can look to see how that can work.

@VachaShah VachaShah merged commit c342838 into opensearch-project:main Mar 30, 2022
@VachaShah VachaShah deleted the jackson-databind-update branch March 30, 2022 20:51
@VachaShah VachaShah mentioned this pull request Mar 30, 2022
Closed
@reta
Copy link
Collaborator

reta commented Mar 30, 2022

Food for thought, is there a way we can fetch the dependency version defined in OpenSearch and consume it here?

I can look to see how that can work.

@VachaShah sorry if that is what you already have in mind, but Gradle has this version catalog feature with I think we could leverage to align the dependencies between all OpenSearch ecosystem.

[1] https://docs.gradle.org/current/userguide/platforms.html

@VachaShah VachaShah mentioned this pull request Apr 1, 2022
Merged
1 task
@saratvemulapalli saratvemulapalli mentioned this pull request Apr 5, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@saratvemulapalli saratvemulapalli saratvemulapalli approved these changes

@dblock dblock dblock approved these changes

@reta reta reta approved these changes

@madhusudhankonda madhusudhankonda Awaiting requested review from madhusudhankonda madhusudhankonda is a code owner

@CEHENKLE CEHENKLE Awaiting requested review from CEHENKLE

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@VachaShah @reta @dblock @saratvemulapalli @CEHENKLE