Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade commons-beanutils 1.9.4 #5319

Closed
wants to merge 1 commit into from
Closed

Upgrade commons-beanutils 1.9.4 #5319

wants to merge 1 commit into from

Conversation

olamy
Copy link
Member

@olamy olamy commented Mar 1, 2021
edited
Loading

Proposed changelog entries

  • Upgrade commons-beanutils 1.9.4. Previous version suffers from CVE-2019-10086 (GHSA-6phf-73q6-gh87). Even if we do not use this code path this will prevent some security scanning tools to report an error.

Proposed upgrade guidelines

N/A

Submitter checklist

  • (If applicable) Jira issue is well described
  • Changelog entries and upgrade guidelines are appropriate for the audience affected by the change (users or developer, depending on the change). Examples
    • Fill-in the Proposed changelog entries section only if there are breaking changes or other changes which may require extra steps from users during the upgrade
  • Appropriate autotests or explanation to why this change has no tests
  • For dependency updates: links to external changelogs and, if possible, full diffs

Desired reviewers

@mention

Maintainer checklist

Before the changes are marked as ready-for-merge:

  • There are at least 2 approvals for the pull request and no outstanding requests for change
  • Conversations in the pull request are over OR it is explicit that a reviewer does not block the change
  • Changelog entries in the PR title and/or Proposed changelog entries are correct
  • Proper changelog labels are set so that the changelog can be generated automatically
  • If the change needs additional upgrade steps from users, upgrade-guide-needed label is set and there is a Proposed upgrade guidelines section in the PR title. (example)
  • If it would make sense to backport the change to LTS, a Jira issue must exist, be a Bug or Improvement, and be labeled as lts-candidate to be considered (see query).

@olamy olamy added dependencies Pull requests that update a dependency file java Pull requests that update Java code labels Mar 1, 2021
@olamy olamy marked this pull request as draft March 1, 2021 00:38
@olamy olamy marked this pull request as ready for review March 1, 2021 05:10
@MarkEWaite
Copy link
Contributor

Daniel Beck mentioned in Jenkins Developers list that there have been two failed pull requests attempting to update from commons-beanutils 1.9.3 to 1.9.4. There is more to this upgrade than changing the pom.xml file.

See #4328 and #4928, along with comments in #5124.

@res0nance
Copy link
Contributor

There is also #5246

@daniel-beck
Copy link
Member

There is also #5246

Closing in favor of that.

@daniel-beck daniel-beck closed this Mar 2, 2021
@daniel-beck daniel-beck mentioned this pull request Mar 3, 2021
Merged
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rsandell rsandell rsandell approved these changes

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file java Pull requests that update Java code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@olamy @MarkEWaite @res0nance @daniel-beck @rsandell