Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ELY-2352] UpRev Jackson to 2.13.3 #1721

Merged
merged 1 commit into from
Jun 23, 2022
Merged

[ELY-2352] UpRev Jackson to 2.13.3 #1721

merged 1 commit into from
Jun 23, 2022

Conversation

DanSalt
Copy link

@DanSalt DanSalt commented Jun 22, 2022
edited
Loading

https://issues.redhat.com/browse/ELY-2352

Addresses CVE-2020-36518
FasterXML/jackson-databind#2816
GHSA-57j2-w4cx-62h2

This fix improves on the Dependabot PR (#1699) which incorrectly bumps the version for the whole of Jackson to 2.13.2.1, which caused an error (because 2.13.2.1 only applied to jackson-databind). This PR bumps to the later (2.13.3) version, which also satisfies the CVE.

@DanSalt DanSalt changed the title UpRev Jackson Databind to 2.13.2.1 UpRev Jackson to 2.13.3 Jun 22, 2022
@fjuma
Copy link
Contributor

fjuma commented Jun 22, 2022

@DanSalt Thanks for this PR!

Just a small comment, would you be able to create an ELY issue for this upgrade here and then reference the ELY issue in the commit message? An example of the format we usually use can be seen here:

#1697

@DanSalt DanSalt changed the title UpRev Jackson to 2.13.3 [ELY-2352] UpRev Jackson to 2.13.3 Jun 22, 2022
@DanSalt
Copy link
Author

DanSalt commented Jun 22, 2022
edited
Loading

Hi @fjuma !

I've created the ELY issue (ELY-2352) and added it to the PR. But I'm not sure how to go back and retrofit it to the commit. Is that sufficient or do you need me to back out the change and re-commit?

@Ashpan
Copy link
Contributor

Ashpan commented Jun 22, 2022
edited
Loading

Hi @DanSalt,
Thanks for the PR!
To retrofit the commit, you would have to rebase your commits.
To do this, you need to run

  1. git rebase -i HEAD~2
  2. You'll see a screen that looks like this
pick 84ba2beb4a commit 1 message
pick c74aa75cf1 commit 2 message

You want to change this, so the first line says reword or r
and the second line says squash or s.
To enter edit mode, hit i

r 84ba2beb4a commit 1 message
s c74aa75cf1 commit 2 message
  1. Then save the file by hitting esc, then :, then wq
  2. Now you can edit your message by once again hitting i and changing it to an applicable commit message. Then esc, :, wq to save.
  3. Finally, you can push with git push -f to force overwrite the commit and its message

Here's some useful resources
Interactive Rebase: https://hackernoon.com/beginners-guide-to-interactive-rebasing-346a3f9c3a6d
Vim (the editor that's used for the interactive rebase): https://www.linux.com/training-tutorials/vim-101-beginners-guide-vim/

@DanSalt
[ELY-2352] Uprev Jackson to 2.13.3
7831c38 
Simplified PR using later 2.13.3 Jackson
@DanSalt
Copy link
Author

DanSalt commented Jun 22, 2022

Thanks @Ashpan -- that was really helpful :)

Should be all modified and ready to go now.

@Ashpan
Copy link
Contributor

Ashpan commented Jun 22, 2022

Thanks @Ashpan -- that was really helpful :)

Should be all modified and ready to go now.

@DanSalt Glad I could help.
The PR looks great now

fjuma
fjuma approved these changes Jun 22, 2022
View reviewed changes
Copy link
Contributor

@fjuma fjuma left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks very much for the updates, @DanSalt! Looks great.

And thanks @Ashpan for helping out!

We'll get this merged tomorrow.

Thanks again.

@fjuma fjuma added the +1 FJ label Jun 22, 2022
@Skyllarr Skyllarr merged commit f2ad31c into wildfly-security:1.x Jun 23, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Skyllarr Skyllarr Skyllarr approved these changes

@fjuma fjuma fjuma approved these changes

Assignees
No one assigned
Labels
+1 FJ
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@DanSalt @fjuma @Ashpan @Skyllarr