Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Upgrade XStream from 1.4.19 to 1.4.20 #7548

Merged

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Dec 26, 2022

Upgrade XStream from 1.4.19 to 1.4.20.

Release notes

Sourced from XStream's releases.

1.4.20

Released December 24, 2022.

This maintenance release addresses the security vulnerabilities CVE-2022-40151 and CVE-2022-41966, causing a Denial of Service by raising a stack overflow. It also provides new converters for Optional and Atomic types.

Major changes

  • #308: Add converter for AtomicBoolean, AtomicInteger, AtomicLong, and AtomicReference of package java.util.concurrent.atomic.
  • #293: Add converter for Optional, OptionalDouble, OptionalInt, and OptionalLong of package java.util.

Minor changes

  • #287: Close stream opened from provided URL.
  • #284: Fix disabling check against hash code attack with XStream.setCollectionUpdateLimit(0).

Stream compatibility

  • The atomic types with new converters of package java.util.concurrent.atomic, that have been written with previous versions of XStream, can still be deserialized.
  • The Optional types with new converters of package java.util, that have been written with previous versions of XStream, can still be deserialized.
  • The WildcardTypePermission allows by default no longer anonymous class types.

API changes

  • Added c.t.x.converters.extended.AtomicBooleanConverter.
  • Added c.t.x.converters.extended.AtomicIntegerConverter.
  • Added c.t.x.converters.extended.AtomicLongConverter.
  • Added c.t.x.converters.extended.AtomicReferenceConverter.
  • Added c.t.x.converters.extended.OptionalConverter.
  • Added c.t.x.converters.extended.OptionalDoubleConverter.
  • Added c.t.x.converters.extended.OptionalIntConverter.
  • Added c.t.x.converters.extended.OptionalLongConverter.
  • Added c.t.x.security.WildcardTypePermission.WildcardTypePermission(boolean,String[]).

See full diff in compare view. Per #7270:

When the upstream change is merged and released, and when we upgrade to that release, this custom converter can be removed.

Upstream has fixed this issue, and this PR upgrades to that release, so accordingly this PR reverts #7270.

Testing done

Integration testing

Ran mvn clean verify -Dtest=hudson.bugs.DateConversionTest,hudson.cli.UpdateViewCommandTest,hudson.model.CauseTest,hudson.model.ComputerConfigDotXmlTest,hudson.model.ParametersAction2Test,hudson.model.QueueTest,hudson.model.RunParameterValueTest,hudson.model.ViewTest,hudson.PluginManagerTest,hudson.util.CopyOnWriteListTest,hudson.util.CopyOnWriteMapTest,hudson.util.DescribableListTest,hudson.util.PackedMapTest,hudson.util.RobustCollectionConverterTest,hudson.util.RobustMapConverterTest,hudson.util.RobustReflectionConverterTest,hudson.util.SecretTest,hudson.util.XStream2AnnotationTest,hudson.util.XStream2EncodingTest,hudson.util.XStream2Security383Test,hudson.util.XStream2Test,hudson.XmlFileTest,jenkins.install.InstallStateTest,jenkins.security.ClassFilterImplTest,jenkins.security.Security637Test,jenkins.util.xstream.AtomicBooleanFieldsTest,jenkins.util.xstream.XStreamDOMTest,jenkins.widgets.BuildTimeTrendTest.

Functional testing

Ran a Docker build on Java 17 with the workaround from #7270 reverted both before and after the XStream upgrade. Before the XStream upgrade, the build failed as in jenkinsci/docker-plugin#905. After the XStream upgrade, the build passed. Inspected the serialized AtomicBoolean field to ensure it was using the new format. Also manually verified that the old format could still be deserialized.

Proposed changelog entries

Upgrade XStream from 1.4.19 to 1.4.20. This maintenance release addresses the security vulnerabilities CVE-2022-40151 and CVE-2022-41966, causing a Denial of Service by raising a stack overflow. It also provides new converters for Optional and Atomic types.

Proposed upgrade guidelines

N/A

Submitter checklist

  • The Jira issue, if it exists, is well-described.
  • The changelog entries and upgrade guidelines are appropriate for the audience affected by the change (users or developers, depending on the change) and are in the imperative mood (see examples).
    • Fill in the Proposed upgrade guidelines section only if there are breaking changes or changes that may require extra steps from users during upgrade.
  • There is automated testing or an explanation as to why this change has no tests.
  • New public classes, fields, and methods are annotated with @Restricted or have @since TODO Javadocs, as appropriate.
  • New deprecations are annotated with @Deprecated(since = "TODO") or @Deprecated(forRemoval = true, since = "TODO"), if applicable.
  • New or substantially changed JavaScript is not defined inline and does not call eval to ease future introduction of Content Security Policy (CSP) directives (see documentation).
  • For dependency updates, there are links to external changelogs and, if possible, full differentials.
  • For new APIs and extension points, there is a link to at least one consumer.

Desired reviewers

@mention

Maintainer checklist

Before the changes are marked as ready-for-merge:

  • There are at least 2 approvals for the pull request and no outstanding requests for change
  • Conversations in the pull request are over OR it is explicit that a reviewer does not block the change
  • Changelog entries in the PR title and/or Proposed changelog entries are accurate, human-readable, and in the imperative mood
  • Proper changelog labels are set so that the changelog can be generated automatically
  • If the change needs additional upgrade steps from users, upgrade-guide-needed label is set and there is a Proposed upgrade guidelines section in the PR title. (example)
  • If it would make sense to backport the change to LTS, a Jira issue must exist, be a Bug or Improvement, and be labeled as lts-candidate to be considered (see query).

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [xstream](https://github.com/x-stream/xstream) from 1.4.19 to 1.4.20.
- [Release notes](https://github.com/x-stream/xstream/releases)
- [Commits](https://github.com/x-stream/xstream/commits)

---
updated-dependencies:
- dependency-name: com.thoughtworks.xstream:xstream
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file java Pull requests that update Java code labels Dec 26, 2022
@basil basil changed the title Bump xstream from 1.4.19 to 1.4.20 Upgrade XStream from 1.4.19 to 1.4.20 Dec 26, 2022
@basil basil added the rfe For changelog: Minor enhancement. use `major-rfe` for changes to be highlighted label Dec 26, 2022
Copy link
Member

@basil basil left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR is now ready for merge. We will merge it after approximately 24 hours if there is no negative feedback. Please see the merge process documentation for more information about the merge process. Thanks!

@basil basil added the ready-for-merge The PR is ready to go, and it will be merged soon if there is no negative feedback label Dec 26, 2022
@basil basil merged commit 3965fec into master Dec 27, 2022
@basil basil deleted the dependabot/maven/com.thoughtworks.xstream-xstream-1.4.20 branch December 27, 2022 18:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file java Pull requests that update Java code ready-for-merge The PR is ready to go, and it will be merged soon if there is no negative feedback rfe For changelog: Minor enhancement. use `major-rfe` for changes to be highlighted
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant