Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HBASE-27423 Upgrade Jackson for CVE-2022-42003/42004 #4821

Closed
wants to merge 1 commit into from
Closed

HBASE-27423 Upgrade Jackson for CVE-2022-42003/42004 #4821

wants to merge 1 commit into from

Conversation

apurtell
Copy link
Contributor

@apurtell apurtell commented Oct 11, 2022
edited
Loading

Jackson 2.13.4 fixes CVE-2022-42004 and databind 2.14.0-rc1 fixes CVE-2022-42003.

Move jackson.version to 2.13.4.
Move jackson.databind.version to 2.14.0-rc1.

@apurtell apurtell requested a review from Apache9 October 11, 2022 00:36
@apurtell
HBASE-27423 Upgrade Jackson for CVE-2022-42003/42004
de66949 
Jackson 2.13.4 fixes CVE-2022-42004 and databind 2.14.0-rc1 fixes CVE-2022-42003.

Move jackson.version to 2.13.4.
Move jackson.databind.version to 2.14.0-rc1.
@Apache-HBase
Copy link

🎊 +1 overall

Vote Subsystem Runtime Comment
+0 🆗 reexec 1m 1s Docker mode activated.
_ Prechecks _
+1 💚 dupname 0m 0s No case conflicting files found.
+1 💚 @author 0m 0s The patch does not contain any @author tags.
_ master Compile Tests _
+1 💚 mvninstall 2m 19s master passed
+1 💚 compile 6m 21s master passed
+1 💚 spotless 0m 40s branch has no errors when running spotless:check.
_ Patch Compile Tests _
+1 💚 mvninstall 2m 7s the patch passed
+1 💚 compile 6m 26s the patch passed
-0 ⚠️ javac 6m 26s root generated 2 new + 701 unchanged - 2 fixed = 703 total (was 703)
+1 💚 whitespace 0m 0s The patch has no whitespace issues.
+1 💚 xml 0m 0s The patch has no ill-formed XML file.
+1 💚 hadoopcheck 7m 59s Patch does not cause any errors with Hadoop 3.2.4 3.3.4.
+1 💚 spotless 0m 39s patch has no errors when running spotless:check.
_ Other Tests _
+1 💚 asflicense 0m 13s The patch does not generate ASF License warnings.
32m 59s
Subsystem Report/Notes
Docker ClientAPI=1.41 ServerAPI=1.41 base: https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-4821/1/artifact/yetus-general-check/output/Dockerfile
GITHUB PR #4821
Optional Tests dupname asflicense javac hadoopcheck spotless xml compile
uname Linux eefa38f0e25f 5.4.0-124-generic #140-Ubuntu SMP Thu Aug 4 02:23:37 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Build tool maven
Personality dev-support/hbase-personality.sh
git revision master / 8d2efc8
Default Java Temurin-1.8.0_345-b01
javac https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-4821/1/artifact/yetus-general-check/output/diff-compile-javac-root.txt
Max. process+thread count 139 (vs. ulimit of 30000)
modules C: . U: .
Console output https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-4821/1/console
versions git=2.17.1 maven=3.6.3
Powered by Apache Yetus 0.12.0 https://yetus.apache.org

This message was automatically generated.

@Apache9
Copy link
Contributor

Apache9 commented Oct 11, 2022

2.14.0-rc2 is out, maybe we should wait for 2.14.0 final release and then upgrading? Will need a new thirdparty release then...

@Apache-HBase
Copy link

💔 -1 overall

Vote Subsystem Runtime Comment
+0 🆗 reexec 1m 4s Docker mode activated.
-0 ⚠️ yetus 0m 4s Unprocessed flag(s): --brief-report-file --spotbugs-strict-precheck --whitespace-eol-ignore-list --whitespace-tabs-ignore-list --quick-hadoopcheck
_ Prechecks _
_ master Compile Tests _
+1 💚 mvninstall 2m 54s master passed
+1 💚 compile 1m 54s master passed
+1 💚 shadedjars 3m 51s branch has no errors when building our shaded downstream artifacts.
+1 💚 javadoc 1m 59s master passed
_ Patch Compile Tests _
+1 💚 mvninstall 2m 42s the patch passed
+1 💚 compile 2m 6s the patch passed
+1 💚 javac 2m 6s the patch passed
+1 💚 shadedjars 5m 3s patch has no errors when building our shaded downstream artifacts.
+1 💚 javadoc 2m 36s the patch passed
_ Other Tests _
-1 ❌ unit 328m 51s root in the patch failed.
355m 31s
Subsystem Report/Notes
Docker ClientAPI=1.41 ServerAPI=1.41 base: https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-4821/1/artifact/yetus-jdk11-hadoop3-check/output/Dockerfile
GITHUB PR #4821
Optional Tests javac javadoc unit shadedjars compile
uname Linux d655f6788467 5.4.0-122-generic #138-Ubuntu SMP Wed Jun 22 15:00:31 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Build tool maven
Personality dev-support/hbase-personality.sh
git revision master / 8d2efc8
Default Java Eclipse Adoptium-11.0.16.1+1
unit https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-4821/1/artifact/yetus-jdk11-hadoop3-check/output/patch-unit-root.txt
Test Results https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-4821/1/testReport/
Max. process+thread count 2451 (vs. ulimit of 30000)
modules C: . U: .
Console output https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-4821/1/console
versions git=2.17.1 maven=3.6.3
Powered by Apache Yetus 0.12.0 https://yetus.apache.org

This message was automatically generated.

@Apache-HBase
Copy link

💔 -1 overall

Vote Subsystem Runtime Comment
+0 🆗 reexec 1m 32s Docker mode activated.
-0 ⚠️ yetus 0m 3s Unprocessed flag(s): --brief-report-file --spotbugs-strict-precheck --whitespace-eol-ignore-list --whitespace-tabs-ignore-list --quick-hadoopcheck
_ Prechecks _
_ master Compile Tests _
+1 💚 mvninstall 3m 54s master passed
+1 💚 compile 2m 39s master passed
+1 💚 shadedjars 5m 35s branch has no errors when building our shaded downstream artifacts.
+1 💚 javadoc 2m 49s master passed
_ Patch Compile Tests _
+1 💚 mvninstall 3m 48s the patch passed
+1 💚 compile 2m 33s the patch passed
+1 💚 javac 2m 33s the patch passed
+1 💚 shadedjars 5m 53s patch has no errors when building our shaded downstream artifacts.
+1 💚 javadoc 2m 41s the patch passed
_ Other Tests _
-1 ❌ unit 404m 36s root in the patch failed.
437m 58s
Subsystem Report/Notes
Docker ClientAPI=1.41 ServerAPI=1.41 base: https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-4821/1/artifact/yetus-jdk8-hadoop3-check/output/Dockerfile
GITHUB PR #4821
Optional Tests javac javadoc unit shadedjars compile
uname Linux 3eec98bdd734 5.4.0-124-generic #140-Ubuntu SMP Thu Aug 4 02:23:37 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
Build tool maven
Personality dev-support/hbase-personality.sh
git revision master / 8d2efc8
Default Java Temurin-1.8.0_345-b01
unit https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-4821/1/artifact/yetus-jdk8-hadoop3-check/output/patch-unit-root.txt
Test Results https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-4821/1/testReport/
Max. process+thread count 2342 (vs. ulimit of 30000)
modules C: . U: .
Console output https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-4821/1/console
versions git=2.17.1 maven=3.6.3
Powered by Apache Yetus 0.12.0 https://yetus.apache.org

This message was automatically generated.

@apurtell
Copy link
Contributor Author

2.14.0-rc2 is out, maybe we should wait for 2.14.0 final release and then upgrading?

Sure we can wait. I'll move this to draft and reschedule the JIRA.

Will need a new thirdparty release then...

You mean because of hbase-shaded-jackson-jaxrs-json-provider I presume. Ok.

@apurtell apurtell marked this pull request as draft October 11, 2022 17:05
@Apache9
Copy link
Contributor

Apache9 commented Nov 20, 2022

Fixed by #4878

@Apache9 Apache9 closed this Nov 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Apache9 Apache9 Awaiting requested review from Apache9

@ndimiduk ndimiduk Awaiting requested review from ndimiduk

@virajjasani virajjasani Awaiting requested review from virajjasani

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@apurtell @Apache-HBase @Apache9