Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider downgrading Jackson to 2.6 #6536

Closed
snicoll opened this issue Aug 2, 2016 · 12 comments
Closed

Consider downgrading Jackson to 2.6 #6536

snicoll opened this issue Aug 2, 2016 · 12 comments
Labels
status: duplicate A duplicate of another issue

Comments

@snicoll
Copy link
Member

snicoll commented Aug 2, 2016

As of 2.7, Jackson requires Java7. We also have report that it breaks with embedded elasticsearch (see #6508)
@snicoll snicoll added the for: team-attention An issue we'd like other members of the team to review label Aug 2, 2016
@snicoll snicoll mentioned this issue Aug 2, 2016
Closed
@wilkinsona
Copy link
Member

I think 2.6.x would be a step too far. There's a security vulnerability in the XML mapper that is only fixed in 2.7.4 and later. While we don't use the XML mapper, I think it's preferable to not provide a vulnerable version by default rather than working with Java 6 by default. We already have some other dependencies that require Java 7 by default : Hikari, Jetty, and the Postgres JDBC driver, IIRC.

I could be persuaded that using 2.7.x in 1.4 and moving to 2.8 (or later) in 1.5 is a reasonable compromise. However, there's no guarantee that we won't face the same problem again. Elasticsearch has an upgrade to 2.8 planned but only for 3.0 (elastic/elasticsearch#18939) and we're using 2.3.x at the moment.

@snicoll
Copy link
Member Author

snicoll commented Aug 3, 2016

I agree this isn't ideal but what annoys me a lot is that start.spring.io can generates broken projects because of this. We would need for sure to update the documentation and maybe reference it when Java6 is selected?

@rajadileepkolli
Copy link
Contributor

Totally out of context but but next elasticsearch version will be 5.0.0 not 3.

@agebhar1
Copy link
Contributor

agebhar1 commented Aug 4, 2016

I extend the test case for #6508 at /agebhar1/spring-boot-6508-jackson-elasticsearch by profile with Jackson version 2.7.6 - all test's passed.

A short check with japicmp only on Jackson's core library, where the critical change for #6508 occurred, got:

java -jar japicmp-0.8.1-jar-with-dependencies.jar -o ~/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.6/jackson-core-2.6.6.jar -n ~/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.7.6/jackson-core-2.7.6.jar --only-modified --only-incompatible:

Comparing /home/agebhar1/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.6/jackson-core-2.6.6.jar with /home/agebhar1/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.7.6/jackson-core-2.7.6.jar:
***! MODIFIED CLASS: PUBLIC ABSTRACT com.fasterxml.jackson.core.base.GeneratorBase  (not serializable)
    ***! MODIFIED FIELD: PROTECTED STATIC (<- NON_STATIC) FINAL java.lang.String WRITE_NULL
    ***! MODIFIED FIELD: PROTECTED STATIC (<- NON_STATIC) FINAL java.lang.String WRITE_BOOLEAN
    ***! MODIFIED FIELD: PROTECTED STATIC (<- NON_STATIC) FINAL java.lang.String WRITE_RAW
    ***! MODIFIED FIELD: PROTECTED STATIC (<- NON_STATIC) FINAL java.lang.String WRITE_BINARY
    ***! MODIFIED FIELD: PROTECTED STATIC (<- NON_STATIC) FINAL java.lang.String WRITE_NUMBER
    ***! MODIFIED FIELD: PROTECTED STATIC (<- NON_STATIC) FINAL java.lang.String WRITE_STRING
***! MODIFIED CLASS: PUBLIC FINAL com.fasterxml.jackson.core.Base64Variant  (compatible)
    ***! MODIFIED FIELD: PACKAGE_PROTECTED (<- PROTECTED) FINAL java.lang.String _name
    ***! MODIFIED FIELD: PRIVATE (<- PROTECTED) FINAL char _paddingChar
    ***! MODIFIED FIELD: PRIVATE (<- PROTECTED) FINAL boolean _usesPadding
    ***! MODIFIED FIELD: PRIVATE (<- PROTECTED) FINAL int _maxLineLength
===  UNCHANGED CLASS: PUBLIC com.fasterxml.jackson.core.io.SerializedString  (serialVersionUID removed but not matches new default serialVersionUID)
***! MODIFIED CLASS: PUBLIC FINAL com.fasterxml.jackson.core.json.JsonReadContext  (not serializable)
    ---! REMOVED METHOD: PUBLIC(-) STATIC(-) com.fasterxml.jackson.core.json.JsonReadContext createRootContext(int, int)
    ---! REMOVED METHOD: PUBLIC(-) STATIC(-) com.fasterxml.jackson.core.json.JsonReadContext createRootContext()
***! MODIFIED ENUM: PUBLIC FINAL com.fasterxml.jackson.core.JsonEncoding  (compatible)
    ***! MODIFIED FIELD: PRIVATE (<- PROTECTED) FINAL boolean _bigEndian
    ***! MODIFIED FIELD: PRIVATE (<- PROTECTED) FINAL java.lang.String _javaName
    ***! MODIFIED FIELD: PRIVATE (<- PROTECTED) FINAL int _bits
***! MODIFIED CLASS: PUBLIC com.fasterxml.jackson.core.JsonFactory  (field removed)
    ---! REMOVED FIELD: PROTECTED(-) FINAL(-) com.fasterxml.jackson.core.sym.BytesToNameCanonicalizer _rootByteSymbols
    ---! REMOVED METHOD: PUBLIC(-) com.fasterxml.jackson.core.JsonGenerator createJsonGenerator(java.io.File, com.fasterxml.jackson.core.JsonEncoding)
        ---  REMOVED EXCEPTION: java.io.IOException
***  MODIFIED CLASS: PUBLIC com.fasterxml.jackson.core.JsonParseException  (serialVersionUID modified)
---! REMOVED CLASS: PUBLIC(-) FINAL(-) com.fasterxml.jackson.core.sym.BytesToNameCanonicalizer  (not serializable)
    ---  REMOVED SUPERCLASS: java.lang.Object
    ---! REMOVED FIELD: PROTECTED(-) com.fasterxml.jackson.core.sym.Name[] _mainNames
    ---! REMOVED FIELD: PROTECTED(-) int[] _hash
    ---! REMOVED FIELD: PROTECTED(-) int _hashMask
    ---! REMOVED FIELD: PROTECTED(-) boolean _intern
    ---! REMOVED FIELD: PROTECTED(-) FINAL(-) boolean _failOnDoS
    ---! REMOVED FIELD: PROTECTED(-) FINAL(-) com.fasterxml.jackson.core.sym.BytesToNameCanonicalizer _parent
    ---! REMOVED FIELD: PROTECTED(-) int _count
    ---! REMOVED FIELD: PROTECTED(-) java.util.BitSet _overflows
    ---! REMOVED FIELD: PROTECTED(-) com.fasterxml.jackson.core.sym.BytesToNameCanonicalizer$Bucket[] _collList
    ---! REMOVED FIELD: PROTECTED(-) FINAL(-) java.util.concurrent.atomic.AtomicReference _tableInfo
    ---! REMOVED FIELD: PROTECTED(-) int _collCount
    ---! REMOVED FIELD: PROTECTED(-) int _collEnd
    ---! REMOVED FIELD: PROTECTED(-) int _longestCollisionList
    ---! REMOVED METHOD: PUBLIC(-) com.fasterxml.jackson.core.sym.Name addName(java.lang.String, int, int)
    ---! REMOVED METHOD: PUBLIC(-) com.fasterxml.jackson.core.sym.Name addName(java.lang.String, int[], int)
    ---! REMOVED METHOD: PUBLIC(-) int bucketCount()
    ---! REMOVED METHOD: PUBLIC(-) int calcHash(int)
    ---! REMOVED METHOD: PUBLIC(-) int calcHash(int, int)
    ---! REMOVED METHOD: PUBLIC(-) int calcHash(int, int, int)
    ---! REMOVED METHOD: PUBLIC(-) int calcHash(int[], int)
    ---! REMOVED METHOD: PROTECTED(-) STATIC(-) int[] calcQuads(byte[])
    ---! REMOVED METHOD: PUBLIC(-) int collisionCount()
    ---! REMOVED METHOD: PUBLIC(-) STATIC(-) com.fasterxml.jackson.core.sym.BytesToNameCanonicalizer createRoot()
    ---! REMOVED METHOD: PROTECTED(-) STATIC(-) com.fasterxml.jackson.core.sym.BytesToNameCanonicalizer createRoot(int)
    ---! REMOVED METHOD: PUBLIC(-) com.fasterxml.jackson.core.sym.Name findName(int)
    ---! REMOVED METHOD: PUBLIC(-) com.fasterxml.jackson.core.sym.Name findName(int, int)
    ---! REMOVED METHOD: PUBLIC(-) com.fasterxml.jackson.core.sym.Name findName(int, int, int)
    ---! REMOVED METHOD: PUBLIC(-) com.fasterxml.jackson.core.sym.Name findName(int[], int)
    ---! REMOVED METHOD: PUBLIC(-) STATIC(-) com.fasterxml.jackson.core.sym.Name getEmptyName()
    ---! REMOVED METHOD: PUBLIC(-) int hashSeed()
    ---! REMOVED METHOD: PUBLIC(-) com.fasterxml.jackson.core.sym.BytesToNameCanonicalizer makeChild(int)
    ---! REMOVED METHOD: PUBLIC(-) com.fasterxml.jackson.core.sym.BytesToNameCanonicalizer makeChild(boolean, boolean)
    ---! REMOVED METHOD: PUBLIC(-) int maxCollisionLength()
    ---! REMOVED METHOD: PUBLIC(-) boolean maybeDirty()
    ---! REMOVED METHOD: PUBLIC(-) void release()
    ---! REMOVED METHOD: PROTECTED(-) void reportTooManyCollisions(int)
    ---! REMOVED METHOD: PUBLIC(-) int size()
---! REMOVED CLASS: PUBLIC(-) STATIC(-) com.fasterxml.jackson.core.util.DefaultPrettyPrinter$Lf2SpacesIndenter  (class removed)
    ---  REMOVED SUPERCLASS: com.fasterxml.jackson.core.util.DefaultIndenter
    ---! REMOVED FIELD: PUBLIC(-) STATIC(-) FINAL(-) com.fasterxml.jackson.core.util.DefaultPrettyPrinter$Lf2SpacesIndenter instance
    ---! REMOVED CONSTRUCTOR: PUBLIC(-) DefaultPrettyPrinter$Lf2SpacesIndenter(java.lang.String)
    ---! REMOVED CONSTRUCTOR: PUBLIC(-) DefaultPrettyPrinter$Lf2SpacesIndenter()
    ---! REMOVED METHOD: PUBLIC(-) com.fasterxml.jackson.core.util.DefaultPrettyPrinter$Lf2SpacesIndenter withLinefeed(java.lang.String)
===  UNCHANGED CLASS: PUBLIC FINAL com.fasterxml.jackson.core.util.InternCache  (serialVersionUID removed but not matches new default serialVersionUID)

and
java -jar japicmp-0.8.1-jar-with-dependencies.jar -o ~/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.6/jackson-core-2.6.6.jar -n ~/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.8.1/jackson-core-2.8.1.jar --only-modified --only-incompatible:

Comparing /home/agebhar1/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.6/jackson-core-2.6.6.jar with /home/agebhar1/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.8.1/jackson-core-2.8.1.jar:
***! MODIFIED CLASS: PUBLIC ABSTRACT com.fasterxml.jackson.core.base.GeneratorBase  (not serializable)
    ***! MODIFIED METHOD: PUBLIC NON_FINAL (<- FINAL) com.fasterxml.jackson.core.JsonStreamContext (<-com.fasterxml.jackson.core.json.JsonWriteContext) getOutputContext()
***! MODIFIED CLASS: PUBLIC FINAL com.fasterxml.jackson.core.json.JsonReadContext  (not serializable)
    ---! REMOVED METHOD: PUBLIC(-) STATIC(-) com.fasterxml.jackson.core.json.JsonReadContext createRootContext(int, int)
    ---! REMOVED METHOD: PUBLIC(-) STATIC(-) com.fasterxml.jackson.core.json.JsonReadContext createRootContext()
***! MODIFIED CLASS: PUBLIC com.fasterxml.jackson.core.JsonFactory  (field removed)
    ---! REMOVED FIELD: PROTECTED(-) FINAL(-) com.fasterxml.jackson.core.sym.BytesToNameCanonicalizer _rootByteSymbols
    ---! REMOVED METHOD: PUBLIC(-) com.fasterxml.jackson.core.JsonGenerator createJsonGenerator(java.io.File, com.fasterxml.jackson.core.JsonEncoding)
        ---  REMOVED EXCEPTION: java.io.IOException
***  MODIFIED CLASS: PUBLIC com.fasterxml.jackson.core.JsonParseException  (serialVersionUID modified)
***! MODIFIED CLASS: PUBLIC ABSTRACT com.fasterxml.jackson.core.ObjectCodec  (not serializable)
    ***! MODIFIED METHOD: PUBLIC ABSTRACT (<- NON_ABSTRACT) com.fasterxml.jackson.core.Version version()
---! REMOVED CLASS: PUBLIC(-) FINAL(-) com.fasterxml.jackson.core.sym.BytesToNameCanonicalizer  (not serializable)
    ---  REMOVED SUPERCLASS: java.lang.Object
    ---! REMOVED FIELD: PROTECTED(-) com.fasterxml.jackson.core.sym.Name[] _mainNames
    ---! REMOVED FIELD: PROTECTED(-) int[] _hash
    ---! REMOVED FIELD: PROTECTED(-) int _hashMask
    ---! REMOVED FIELD: PROTECTED(-) boolean _intern
    ---! REMOVED FIELD: PROTECTED(-) FINAL(-) boolean _failOnDoS
    ---! REMOVED FIELD: PROTECTED(-) FINAL(-) com.fasterxml.jackson.core.sym.BytesToNameCanonicalizer _parent
    ---! REMOVED FIELD: PROTECTED(-) int _count
    ---! REMOVED FIELD: PROTECTED(-) java.util.BitSet _overflows
    ---! REMOVED FIELD: PROTECTED(-) com.fasterxml.jackson.core.sym.BytesToNameCanonicalizer$Bucket[] _collList
    ---! REMOVED FIELD: PROTECTED(-) FINAL(-) java.util.concurrent.atomic.AtomicReference _tableInfo
    ---! REMOVED FIELD: PROTECTED(-) int _collCount
    ---! REMOVED FIELD: PROTECTED(-) int _collEnd
    ---! REMOVED FIELD: PROTECTED(-) int _longestCollisionList
    ---! REMOVED METHOD: PUBLIC(-) com.fasterxml.jackson.core.sym.Name addName(java.lang.String, int, int)
    ---! REMOVED METHOD: PUBLIC(-) com.fasterxml.jackson.core.sym.Name addName(java.lang.String, int[], int)
    ---! REMOVED METHOD: PUBLIC(-) int bucketCount()
    ---! REMOVED METHOD: PUBLIC(-) int calcHash(int)
    ---! REMOVED METHOD: PUBLIC(-) int calcHash(int, int)
    ---! REMOVED METHOD: PUBLIC(-) int calcHash(int, int, int)
    ---! REMOVED METHOD: PUBLIC(-) int calcHash(int[], int)
    ---! REMOVED METHOD: PROTECTED(-) STATIC(-) int[] calcQuads(byte[])
    ---! REMOVED METHOD: PUBLIC(-) int collisionCount()
    ---! REMOVED METHOD: PUBLIC(-) STATIC(-) com.fasterxml.jackson.core.sym.BytesToNameCanonicalizer createRoot()
    ---! REMOVED METHOD: PROTECTED(-) STATIC(-) com.fasterxml.jackson.core.sym.BytesToNameCanonicalizer createRoot(int)
    ---! REMOVED METHOD: PUBLIC(-) com.fasterxml.jackson.core.sym.Name findName(int)
    ---! REMOVED METHOD: PUBLIC(-) com.fasterxml.jackson.core.sym.Name findName(int, int)
    ---! REMOVED METHOD: PUBLIC(-) com.fasterxml.jackson.core.sym.Name findName(int, int, int)
    ---! REMOVED METHOD: PUBLIC(-) com.fasterxml.jackson.core.sym.Name findName(int[], int)
    ---! REMOVED METHOD: PUBLIC(-) STATIC(-) com.fasterxml.jackson.core.sym.Name getEmptyName()
    ---! REMOVED METHOD: PUBLIC(-) int hashSeed()
    ---! REMOVED METHOD: PUBLIC(-) com.fasterxml.jackson.core.sym.BytesToNameCanonicalizer makeChild(int)
    ---! REMOVED METHOD: PUBLIC(-) com.fasterxml.jackson.core.sym.BytesToNameCanonicalizer makeChild(boolean, boolean)
    ---! REMOVED METHOD: PUBLIC(-) int maxCollisionLength()
    ---! REMOVED METHOD: PUBLIC(-) boolean maybeDirty()
    ---! REMOVED METHOD: PUBLIC(-) void release()
    ---! REMOVED METHOD: PROTECTED(-) void reportTooManyCollisions(int)
    ---! REMOVED METHOD: PUBLIC(-) int size()
---! REMOVED CLASS: PUBLIC(-) STATIC(-) com.fasterxml.jackson.core.util.DefaultPrettyPrinter$Lf2SpacesIndenter  (class removed)
    ---  REMOVED SUPERCLASS: com.fasterxml.jackson.core.util.DefaultIndenter
    ---! REMOVED FIELD: PUBLIC(-) STATIC(-) FINAL(-) com.fasterxml.jackson.core.util.DefaultPrettyPrinter$Lf2SpacesIndenter instance
    ---! REMOVED CONSTRUCTOR: PUBLIC(-) DefaultPrettyPrinter$Lf2SpacesIndenter(java.lang.String)
    ---! REMOVED CONSTRUCTOR: PUBLIC(-) DefaultPrettyPrinter$Lf2SpacesIndenter()
    ---! REMOVED METHOD: PUBLIC(-) com.fasterxml.jackson.core.util.DefaultPrettyPrinter$Lf2SpacesIndenter withLinefeed(java.lang.String)
***! MODIFIED CLASS: PUBLIC com.fasterxml.jackson.core.util.JsonParserSequence  (not serializable)
    ---! REMOVED FIELD: PROTECTED(-) int _nextParser

Is there a chance to get the fix of the security vulnerability in the XML mapper backported to version 2.6.x?

To take only #6508 into account Jackson 2.7.6 would be fine.

@agebhar1 agebhar1 mentioned this issue Aug 4, 2016
Closed
snicoll added a commit that referenced this issue Aug 9, 2016
@snicoll
Add a note about Jackson and Java6
2a94e05 
See gh-6536
@philwebb
Copy link
Member

@agebhar1

Is there a chance to get the fix of the security vulnerability in the XML mapper backported to version 2.6.x?

That's a question for the Jackson team. You'll need to raise an issue with them.

@agebhar1
Copy link
Contributor

I could raise an issue but in #6508 it seems that downgrade is not an option. So a backport of the XML issue fix would be needless. What did you think @philwebb?

@wilkinsona
Copy link
Member

@agebhar1

I could raise an issue but in #6508 it seems that downgrade is not an option

We haven't made that decision yet (hence this issue still being open). We'll discuss the downgrade later today. FWIW, I'm currently in favour of downgrading to 2.7.x.

@agebhar1
Copy link
Contributor

@wilkinsona

We haven't made that decision yet (hence this issue still being open).

Okay. I will raise an issue on the Jackson team/project, at least Elasticsearch's current version 2.3.5 still uses Jackson 2.6.6 which is affected on the security vulnerability in the XML mapper you mentioned above.

@agebhar1 agebhar1 mentioned this issue Aug 10, 2016
Closed
@philwebb philwebb changed the title Consider downgrading Jackson to 2.6 Consider downgrading Jackson to 2.7 Aug 10, 2016
@philwebb philwebb added this to the 1.4.1 milestone Aug 10, 2016
@philwebb philwebb changed the title Consider downgrading Jackson to 2.7 Consider downgrading Jackson to 2.6 Aug 10, 2016
@philwebb philwebb removed this from the 1.4.1 milestone Aug 10, 2016
@philwebb
Copy link
Member

We'll deal with this in #6508 most likely by downgrading to Jackson 2.7

@snicoll
Copy link
Member Author

snicoll commented Aug 10, 2016

We've decided to downgrade to 2.7, see #6508 for updates.

@snicoll snicoll closed this as completed Aug 10, 2016
@snicoll snicoll added status: duplicate A duplicate of another issue and removed for: team-attention An issue we'd like other members of the team to review labels Aug 10, 2016
@jloisel
Copy link
Contributor

jloisel commented Sep 12, 2016

Elasticsearch 2.4 depends on Jackson 2.8.1. You should consider cancelling the downgrade. We are running Elasticsearch 2.4 with spring boot 1.4.0.RELEASE and Jackson 2.8.2 with no issue so far.

@jloisel jloisel mentioned this issue Sep 12, 2016
Closed
@snicoll
Copy link
Member Author

snicoll commented Sep 12, 2016

@jloisel please create a separate issue for this. Thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: duplicate A duplicate of another issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@snicoll @philwebb @wilkinsona @agebhar1 @jloisel @rajadileepkolli