Skip to content

[CVE-2020-36518] move jackson-databind to 2.13.2#2544

Closed
peternied wants to merge 2 commits intoopensearch-project:1.xfrom
peternied:1.x
Closed

[CVE-2020-36518] move jackson-databind to 2.13.2#2544
peternied wants to merge 2 commits intoopensearch-project:1.xfrom
peternied:1.x

Conversation

@peternied
Copy link
Copy Markdown
Member

@peternied peternied commented Mar 21, 2022

Description

Security took a fix for a opensearch-project/security#1687 and now is seeing a jar hell conflict. This will fix that conflict and fix the CVE in this version of OpenSearch

Caused by: java.lang.IllegalStateException: jar hell!
class: com.fasterxml.jackson.dataformat.cbor.CBORConstants
jar1: /opensearch/plugins/.installing-15168128924324[135](https://github.com/peternied/security/runs/5634491143?check_suite_focus=true#step:11:135)285/jackson-dataformat-cbor-2.13.2.jar
jar2: /opensearch/lib/jackson-dataformat-cbor-2.12.6.jar
	at org.opensearch.bootstrap.JarHell.checkClass(JarHell.java:317)
	at org.opensearch.bootstrap.JarHell.checkJarHell(JarHell.java:212)
	at org.opensearch.plugins.PluginsService.checkBundleJarHell(PluginsService.java:676)
	... 11 more

Check List

  • New functionality includes testing.
    • All tests pass
  • New functionality has been documented.
    • New functionality has javadoc added
  • Commits are signed per the DCO using --signoff

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
For more information on following Developer Certificate of Origin and signing off your commits, please check here.

@peternied
CVE-2020-36518 move jackson-databind to 2.13.2
82e09c6 
Signed-off-by: Peter Nied <petern@amazon.com>
@peternied peternied mentioned this pull request Mar 21, 2022
Merged
3 tasks
@peternied
Missing SHA for jackson-core-2.13.2.jar. Ran 'gradle updateSHAs' to c…
2357857 
…reate them

Signed-off-by: Peter Nied <petern@amazon.com>
@saratvemulapalli saratvemulapalli added dependencies Pull requests that update a dependency file >upgrade Label used when upgrading library dependencies (e.g., Lucene) v2.0.0 Version 2.0.0 labels Mar 21, 2022
@peternied
Copy link
Copy Markdown
Member Author

peternied commented Mar 21, 2022

@saratvemulapalli I am attempting to merge this PR onto 1.x and you've labeled it as v2.0.0 should this PR be recreated against main?

@opensearch-ci-bot
Copy link
Copy Markdown
Collaborator

opensearch-ci-bot commented Mar 21, 2022

❌   Gradle Check failure 82e09c6
Log 3628

Reports 3628

@opensearch-ci-bot
Copy link
Copy Markdown
Collaborator

opensearch-ci-bot commented Mar 21, 2022

❌   Gradle Check failure 2357857
Log 3629

Reports 3629

@peternied
Copy link
Copy Markdown
Member Author

peternied commented Mar 21, 2022

I believe the gradle check failure is resolved with #2543

* What went wrong:
Execution failed for task ':distribution:bwc:minor:buildBwcLinuxTar'.
> Building 1.3.0 didn't generate expected file /var/CITOOL/workflow/OpenSearch_CI/PR_Checks/Gradle_Check/search/distribution/bwc/minor/build/bwc/checkout-1.3/distribution/archives/linux-tar/build/distributions/opensearch-min-1.3.0-SNAPSHOT-linux-x64.tar.gz

nknize
nknize suggested changes Mar 21, 2022
View reviewed changes
Copy link
Copy Markdown
Contributor

@nknize nknize left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@peternied yes. please update the version on main first and then backport through applying the backport labels. This way we have a seamless upgrade across branches.

@saratvemulapalli
Copy link
Copy Markdown
Member

saratvemulapalli commented Mar 21, 2022

@peternied yes. please update the version on main first and then backport through applying the backport labels. This way we have a seamless upgrade across branches.

Thanks for this @nknize. I missed the change is merging to 1.x :).

@peternied
Copy link
Copy Markdown
Member Author

peternied commented Mar 21, 2022

Closing in favor of #2548

@peternied peternied closed this Mar 21, 2022
@peternied peternied deleted the 1.x branch March 21, 2022 21:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@saratvemulapalli saratvemulapalli Awaiting requested review from saratvemulapalli saratvemulapalli is a code owner

1 more reviewer

@nknize nknize nknize requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file >upgrade Label used when upgrading library dependencies (e.g., Lucene) v2.0.0 Version 2.0.0

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@peternied @opensearch-ci-bot @saratvemulapalli @nknize