Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

merge CVE from 2.9 branch(ad5a63017) #2858

Merged
merged 1 commit into from
Sep 22, 2020
Merged

Conversation

qxo
Copy link
Contributor

@qxo qxo commented Sep 21, 2020

ref PR: #2653 #2658 #2659 #2660 #2662 #2664 #2666 #2670 #2680 #2682 #2688 #2698 #2704 #2765 #2798 #2814 #2826 #2827 #2854

This PR by:

  1. generated diff CVE diff
    git diff ad5a630 -- src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java

  2. cleanup the diff ,just remain the CVE change

  3. apply the diff

  4. check and make sure only commit the AutoType CVE change.

PR_LIST=$(git log1 -n 17 ad5a63017 -- src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java | awk -F'[ ,]+' '{for(i=1;i<=NF;i++){a=$(i);if(match(a,/#[0-9]+/)){print a;}}}' | sort | uniq);echo "$PR_LIST" | wc -l
echo $PR_LIST

…L#2659 FasterXML#2660 FasterXML#2662 FasterXML#2664 FasterXML#2666 FasterXML#2670 FasterXML#2680 FasterXML#2682 FasterXML#2688 FasterXML#2698 FasterXML#2704 FasterXML#2765 FasterXML#2798 FasterXML#2814 FasterXML#2826 FasterXML#2827 FasterXML#2854

1. generated diff CVE diff
git diff ad5a630 -- src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java

2. cleanup the diff ,just remain the CVE change

3. apply the diff

4. check and make sure only commit the AutoType CVE change.

```
PR_LIST=$(git log1 -n 17 ad5a630 -- src/main/java/com/fasterxml/jackson/databind/jsontype/impl/SubTypeValidator.java | awk -F'[ ,]+' '{for(i=1;i<=NF;i++){a=$(i);if(match(a,/#[0-9]+/)){print a;}}}' | sort | uniq);echo "$PR_LIST" | wc -l
echo $PR_LIST
```
@cowtowncoder
Copy link
Member

@qxo while I can merge this backport, I am not sure there is much benefit -- no one seems to be using the latest micro-patch of 2.7 (2.7.9.7); and I have no plans to release new micro-patch versions of anything prior to Jackson 2.9 (for Jackson 2.9 last release would probably be by end of 2020).

So I was wondering about benefits here.

@qxo
Copy link
Contributor Author

qxo commented Sep 22, 2020

@qxo while I can merge this backport, I am not sure there is much benefit -- no one seems to be using the latest micro-patch of 2.7 (2.7.9.7); and I have no plans to release new micro-patch versions of anything prior to Jackson 2.9 (for Jackson 2.9 last release would probably be by end of 2020).

So I was wondering about benefits here.

Cause we have some environments which java still java 1.6 :(
This PR suite for who have to using jackson 2.7 branch by java 1.6.

@cowtowncoder
Copy link
Member

cowtowncoder commented Sep 22, 2020

I guess what I am saying is that I can merge this (and even move forward), but there will be no new published versions.

I'll merge this as it will then be easier to do local builds or something: I think you are already using a fork or something as no one is publicly using the latest patch (2.7.9.7) anyway:

https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.7.9.7

Thank you!

@cowtowncoder cowtowncoder merged commit 08fbfac into FasterXML:2.7 Sep 22, 2020
cowtowncoder added a commit that referenced this pull request Sep 22, 2020
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants