Skip to content

upgrade to Jackson 2.9.3 #4918

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

upgrade to Jackson 2.9.3 #4918

wants to merge 1 commit into from

Conversation

@sullis
Copy link

@sullis sullis commented Dec 20, 2017

No description provided.

@pivotal-issuemaster
Copy link

pivotal-issuemaster commented Dec 20, 2017

@sullis Please sign the Contributor License Agreement!

Click here to manually synchronize the status of this Pull Request.

See the FAQ for frequently asked questions.

@pivotal-issuemaster
Copy link

pivotal-issuemaster commented Dec 20, 2017

@sullis Thank you for signing the Contributor License Agreement!

@rwinch
Copy link
Member

rwinch commented Dec 20, 2017

Thanks for the PR! Unfortunately, it appears that the update in Jackson is a breaking change because our tests now break. Specifically I see the following failures:

:spring-security-cas:test


org.springframework.security.cas.jackson2.CasAuthenticationTokenMixinTests > serializeCasAuthenticationTestAfterEraseCredentialInvoked FAILED

    java.lang.AssertionError at CasAuthenticationTokenMixinTests.java:121


org.springframework.security.cas.jackson2.CasAuthenticationTokenMixinTests > serializeCasAuthenticationTest FAILED

    java.lang.AssertionError at CasAuthenticationTokenMixinTests.java:113

:spring-security-core:test

org.springframework.security.jackson2.UsernamePasswordAuthenticationTokenMixinTests > serializeAuthenticatedUsernamePasswordAuthenticationTokenMixinAfterEraseCredentialInvoked FAILED
    java.lang.AssertionError at UsernamePasswordAuthenticationTokenMixinTests.java:133

org.springframework.security.jackson2.UsernamePasswordAuthenticationTokenMixinTests > serializeAuthenticatedUsernamePasswordAuthenticationTokenMixinWithUserTest FAILED
    java.lang.AssertionError at UsernamePasswordAuthenticationTokenMixinTests.java:114

org.springframework.security.jackson2.RememberMeAuthenticationTokenMixinTests > serializeRememberMeAuthenticationWithUserToken FAILED
    java.lang.AssertionError at RememberMeAuthenticationTokenMixinTests.java:84

org.springframework.security.jackson2.RememberMeAuthenticationTokenMixinTests > serializeRememberMeAuthenticationWithUserTokenAfterEraseCredential FAILED
    java.lang.AssertionError at RememberMeAuthenticationTokenMixinTests.java:93

org.springframework.security.jackson2.UserDeserializerTests > serializeUserWithoutAuthority FAILED
    java.lang.AssertionError at UserDeserializerTests.java:67

org.springframework.security.jackson2.UserDeserializerTests > serializeUserTest FAILED
    java.lang.AssertionError at UserDeserializerTests.java:60

org.springframework.security.jackson2.AnonymousAuthenticationTokenMixinTests > serializeAnonymousAuthenticationTokenTest FAILED
    java.lang.AssertionError at AnonymousAuthenticationTokenMixinTests.java:59

org.springframework.security.jackson2.AnonymousAuthenticationTokenMixinTests > serializeAnonymousAuthenticationTokenMixinAfterEraseCredentialTest FAILED
    java.lang.AssertionError at AnonymousAuthenticationTokenMixinTests.java:87

We need to fix these failures before updating.

@rwinch rwinch self-assigned this Dec 20, 2017
@rwinch rwinch added in: build An issue in the build status: waiting-for-feedback We need additional information before we can continue type: enhancement A general enhancement labels Dec 20, 2017
@sullis
Copy link
Author

sullis commented Dec 20, 2017

FYI - this Jackson library upgrade is related to:

"CVE-2017-4995 Spring Security: Deserialization of untrusted data via Jackson"
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-4995

@rwinch
Copy link
Member

rwinch commented Dec 20, 2017

@sullis Thanks for the additional information. Can you clarify how it is related? The CVE mentioned there was fixed in Spring Security and the related fixes in Jackson were fixed in 2.9.0.pr3+ so there should not be any issue with the dependencies as is.

PS: I'd love to update regardless, but we cannot do anything until we resolve the test failures.

@rwinch rwinch mentioned this pull request Dec 20, 2017
Closed
@rwinch
Copy link
Member

rwinch commented Feb 2, 2018

Thanks again for reporting this and the PR @sullis! Closing this in favor of #4985 which updates to Jackson 2.9.4 which fixed some of the regressions we were encountering and provides fixes for the additional regressions

@rwinch rwinch closed this Feb 2, 2018
@rwinch rwinch added status: declined A suggestion or change that we don't feel we should currently apply and removed status: waiting-for-feedback We need additional information before we can continue labels Feb 2, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@rwinch rwinch

Labels

in: build An issue in the build status: declined A suggestion or change that we don't feel we should currently apply type: enhancement A general enhancement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@sullis @pivotal-issuemaster @rwinch