[jira] [Created] (QPID-8279) [Broker-J] Upgrade Jackson dependencies
Alex Rudyy created QPID-8279: Summary: [Broker-J] Upgrade Jackson dependencies Key: QPID-8279 URL: https://issues.apache.org/jira/browse/QPID-8279 Project: Qpid Issue Type: Improvement Components: Broker-J Affects Versions: qpid-java-broker-7.0.6, qpid-java-broker-7.0.5, qpid-java-broker-7.0.4, qpid-java-broker-7.1.0, qpid-java-broker-7.0.1, qpid-java-broker-7.0.0, qpid-java-broker-7.0.2, qpid-java-broker-7.0.3 Reporter: Alex Rudyy Fix For: qpid-java-broker-7.0.7, qpid-java-broker-8.0.0, qpid-java-broker-7.1.1 The CVE vulnerabilities [14718|https://nvd.nist.gov/vuln/detail/CVE-2018-14718], [CVE-2018-14719|https://nvd.nist.gov/vuln/detail/CVE-2018-14719], [CVE-2018-14720|https://nvd.nist.gov/vuln/detail/CVE-2018-14720], [CVE-2018-14721|https://nvd.nist.gov/vuln/detail/CVE-2018-14721] have been reported against jackson-databind library 2.x versions below 2.9.7. Whilst Apache Qpid Broker-J distributions include a version of jackson-databind that is affected by the vulnerability, it is believed that Apache Qpid Broker-J product itself is NOT AFFECTED by this vulnerability. This is because Broker-J code never enables Jackson's polymorphic deserialisation features: specifically it never makes calls to ObjectMapper#enableDefaultTyping(...) nor does it use TypeResolverBuilders or annotations that enable the feature. Though Apache Qpid Broker-J is not affected by the vulnerabilities, this JIRA will upgrade the dependencies of Broker-J to versions of the jackson-databind dependencies that are not vulnerable: * master (upgrade from 2.9.5 to 2.9.8) * 7.1.x (upgrade from 2.9.5 to 2.9.8) * 7.0.x (upgrade from 2.8.11.1 to 2.8.11.3) Please note that no upgrade of jackson-databind dependencies will be done for 6.0.x and 6.1.x versions. The 6.0.x and 6.1.x brokers can be upgraded to 7.1.x. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (QPID-8274) [Broker-J][BDB HA] Broker can fail to become active when BDB HA virtual host times out to join the group
[ https://issues.apache.org/jira/browse/QPID-8274?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16769307#comment-16769307 ] Alex Rudyy commented on QPID-8274: -- It looks like a defect in BDB JE. A number of JDK defect reports (JDK-[6301579|https://bugs.openjdk.java.net/browse/JDK-6301579], [JDK-8037567|https://bugs.openjdk.java.net/browse/JDK-8037567]) was raised about the same problem with class initialization, but, they have been closed as "not an issue". It seems Java spec does not allow static initializers to reference subclasses. The TupleBinding is parent of IntegerBinding. In static block of TupleBinding an instance of IntegerBinding is created. It seems that on attempt to initialize IntegerBinding from multiple threads a deadlock occurs. I raised a discussion on BDB JE forum about this problem [https://community.oracle.com/thread/4201425|https://community.oracle.com/thread/4201425] I am inclined to close this JIRA as not an issue, but before doing that, I would prefer to wait for any reply in Oracle BDB JE forum. > [Broker-J][BDB HA] Broker can fail to become active when BDB HA virtual host > times out to join the group > > > Key: QPID-8274 > URL: https://issues.apache.org/jira/browse/QPID-8274 > Project: Qpid > Issue Type: Bug > Components: Broker-J >Affects Versions: qpid-java-6.1.6, qpid-java-broker-7.0.3, > qpid-java-broker-7.0.2, qpid-java-6.0, qpid-java-6.0.1, qpid-java-6.0.2, > qpid-java-6.0.3, qpid-java-6.0.4, qpid-java-6.0.5, qpid-java-6.1, > qpid-java-6.0.6, qpid-java-6.1.1, qpid-java-6.1.2, qpid-java-6.0.7, > qpid-java-6.1.3, qpid-java-6.0.8, qpid-java-6.1.4, qpid-java-broker-7.0.0, > qpid-java-6.1.5, qpid-java-broker-7.0.1, qpid-java-6.1.7, > qpid-java-broker-7.1.0, qpid-java-broker-7.0.4, qpid-java-broker-7.0.5, > qpid-java-broker-7.0.6 > Environment: [Broker-Config] (q.m.b.platform) - [Broker] BRK-1010 : > Platform : JVM : Oracle Corporation version: 1.8.0_161-b12 OS : Linux > version: 3.10.0-514.6.1.el7.x86_64 arch: amd64 cores: 40 >Reporter: Alex Rudyy >Priority: Major > Fix For: qpid-java-broker-7.0.7, qpid-java-broker-7.1.1 > > Attachments: thread-dump.txt > > > Broker containing a BDB HA Virtual Host node (belonging to the cluster > consisting of several nodes) can fail to start when BDB HA Virtual Host node > times out to join the group. The broker cannot complete activation > (transition into an ACTIVE state). > The stack traces like bellow are reported on BDB HA VHN timeout: > {noformat} > ERROR [Broker-Config] (o.a.q.s.m.AbstractConfiguredObject) - Failed to open > object with name 'node2'. Object will be put into ERROR state. > java.lang.RuntimeException: JE replicated environment creation took too long > (permitted time 18ms) > at > org.apache.qpid.server.store.berkeleydb.replication.ReplicatedEnvironmentFacade.createEnvironmentInSeparateThread(ReplicatedEnvironmentFacade.java:1577) > at > org.apache.qpid.server.store.berkeleydb.replication.ReplicatedEnvironmentFacade.createEnvironment(ReplicatedEnvironmentFacade.java:1521) > at > org.apache.qpid.server.store.berkeleydb.replication.ReplicatedEnvironmentFacade.(ReplicatedEnvironmentFacade.java:287) > at > org.apache.qpid.server.store.berkeleydb.replication.ReplicatedEnvironmentFacadeFactory.createEnvironmentFacade(ReplicatedEnvironmentFacadeFactory.java:130) > at > org.apache.qpid.server.store.berkeleydb.BDBConfigurationStore.init(BDBConfigurationStore.java:122) > at > org.apache.qpid.server.virtualhostnode.berkeleydb.BDBHAVirtualHostNodeImpl.activate(BDBHAVirtualHostNodeImpl.java:338) > at > org.apache.qpid.server.virtualhostnode.AbstractVirtualHostNode.doActivate(AbstractVirtualHostNode.java:162) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.apache.qpid.server.model.AbstractConfiguredObject.attainState(AbstractConfiguredObject.java:1524) > at > org.apache.qpid.server.model.AbstractConfiguredObject.attainState(AbstractConfiguredObject.java:1503) > at > org.apache.qpid.server.model.AbstractConfiguredObject$8.onSuccess(AbstractConfiguredObject.java:1070) > at > org.apache.qpid.server.model.AbstractConfiguredObject$8.onSuccess(AbstractConfiguredObject.java:1064) > at > org.apache.qpid.server.model.AbstractConfiguredObject$22$1.run(AbstractConfiguredObject.java:2639) > at >
[jira] [Commented] (QPID-8279) [Broker-J] Upgrade Jackson dependencies
[ https://issues.apache.org/jira/browse/QPID-8279?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16769968#comment-16769968 ] ASF subversion and git services commented on QPID-8279: --- Commit c79986ee99cb5c73c64f85c43645c63938369912 in qpid-broker-j's branch refs/heads/master from Alex Rudyy [ https://gitbox.apache.org/repos/asf?p=qpid-broker-j.git;h=c79986e ] QPID-8279: [Broker-J] Upgrade Jackson dependencies > [Broker-J] Upgrade Jackson dependencies > --- > > Key: QPID-8279 > URL: https://issues.apache.org/jira/browse/QPID-8279 > Project: Qpid > Issue Type: Improvement > Components: Broker-J >Affects Versions: qpid-java-broker-7.0.3, qpid-java-broker-7.0.2, > qpid-java-broker-7.0.0, qpid-java-broker-7.0.1, qpid-java-broker-7.1.0, > qpid-java-broker-7.0.4, qpid-java-broker-7.0.5, qpid-java-broker-7.0.6 >Reporter: Alex Rudyy >Priority: Major > Fix For: qpid-java-broker-7.0.7, qpid-java-broker-8.0.0, > qpid-java-broker-7.1.1 > > > The CVE vulnerabilities > [14718|https://nvd.nist.gov/vuln/detail/CVE-2018-14718], > [CVE-2018-14719|https://nvd.nist.gov/vuln/detail/CVE-2018-14719], > [CVE-2018-14720|https://nvd.nist.gov/vuln/detail/CVE-2018-14720], > [CVE-2018-14721|https://nvd.nist.gov/vuln/detail/CVE-2018-14721] have been > reported against jackson-databind library 2.x versions below 2.9.7. > Whilst Apache Qpid Broker-J distributions include a version of > jackson-databind that is affected by the vulnerability, it is believed that > Apache Qpid Broker-J product itself is NOT AFFECTED by this vulnerability. > This is because Broker-J code never enables Jackson's > polymorphic deserialisation features: specifically it never makes calls to > ObjectMapper#enableDefaultTyping(...) nor does it use TypeResolverBuilders or > annotations that enable the feature. > Though Apache Qpid Broker-J is not affected by the vulnerabilities, this JIRA > will upgrade the dependencies of Broker-J to versions of the jackson-databind > dependencies that are not vulnerable: > * master (upgrade from 2.9.5 to 2.9.8) > * 7.1.x (upgrade from 2.9.5 to 2.9.8) > * 7.0.x (upgrade from 2.8.11.1 to 2.8.11.3) > Please note that no upgrade of jackson-databind dependencies will be done for > 6.0.x and 6.1.x versions. The 6.0.x and 6.1.x brokers can be upgraded to > 7.1.x. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (QPID-8279) [Broker-J] Upgrade Jackson dependencies
[ https://issues.apache.org/jira/browse/QPID-8279?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16769965#comment-16769965 ] ASF subversion and git services commented on QPID-8279: --- Commit 7cd12811a2c804ab3ac61cbca3aa41bd93f0bd78 in qpid-broker-j's branch refs/heads/7.0.x from Alex Rudyy [ https://gitbox.apache.org/repos/asf?p=qpid-broker-j.git;h=7cd1281 ] QPID-8279: [Broker-J] Upgrade Jackson dependencies > [Broker-J] Upgrade Jackson dependencies > --- > > Key: QPID-8279 > URL: https://issues.apache.org/jira/browse/QPID-8279 > Project: Qpid > Issue Type: Improvement > Components: Broker-J >Affects Versions: qpid-java-broker-7.0.3, qpid-java-broker-7.0.2, > qpid-java-broker-7.0.0, qpid-java-broker-7.0.1, qpid-java-broker-7.1.0, > qpid-java-broker-7.0.4, qpid-java-broker-7.0.5, qpid-java-broker-7.0.6 >Reporter: Alex Rudyy >Priority: Major > Fix For: qpid-java-broker-7.0.7, qpid-java-broker-8.0.0, > qpid-java-broker-7.1.1 > > > The CVE vulnerabilities > [14718|https://nvd.nist.gov/vuln/detail/CVE-2018-14718], > [CVE-2018-14719|https://nvd.nist.gov/vuln/detail/CVE-2018-14719], > [CVE-2018-14720|https://nvd.nist.gov/vuln/detail/CVE-2018-14720], > [CVE-2018-14721|https://nvd.nist.gov/vuln/detail/CVE-2018-14721] have been > reported against jackson-databind library 2.x versions below 2.9.7. > Whilst Apache Qpid Broker-J distributions include a version of > jackson-databind that is affected by the vulnerability, it is believed that > Apache Qpid Broker-J product itself is NOT AFFECTED by this vulnerability. > This is because Broker-J code never enables Jackson's > polymorphic deserialisation features: specifically it never makes calls to > ObjectMapper#enableDefaultTyping(...) nor does it use TypeResolverBuilders or > annotations that enable the feature. > Though Apache Qpid Broker-J is not affected by the vulnerabilities, this JIRA > will upgrade the dependencies of Broker-J to versions of the jackson-databind > dependencies that are not vulnerable: > * master (upgrade from 2.9.5 to 2.9.8) > * 7.1.x (upgrade from 2.9.5 to 2.9.8) > * 7.0.x (upgrade from 2.8.11.1 to 2.8.11.3) > Please note that no upgrade of jackson-databind dependencies will be done for > 6.0.x and 6.1.x versions. The 6.0.x and 6.1.x brokers can be upgraded to > 7.1.x. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org
[jira] [Commented] (QPID-8279) [Broker-J] Upgrade Jackson dependencies
[ https://issues.apache.org/jira/browse/QPID-8279?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16769966#comment-16769966 ] ASF subversion and git services commented on QPID-8279: --- Commit fcd6a091c48b7f46d262b825125d9f401bdfd4ef in qpid-broker-j's branch refs/heads/7.1.x from Alex Rudyy [ https://gitbox.apache.org/repos/asf?p=qpid-broker-j.git;h=fcd6a09 ] QPID-8279: [Broker-J] Upgrade Jackson dependencies > [Broker-J] Upgrade Jackson dependencies > --- > > Key: QPID-8279 > URL: https://issues.apache.org/jira/browse/QPID-8279 > Project: Qpid > Issue Type: Improvement > Components: Broker-J >Affects Versions: qpid-java-broker-7.0.3, qpid-java-broker-7.0.2, > qpid-java-broker-7.0.0, qpid-java-broker-7.0.1, qpid-java-broker-7.1.0, > qpid-java-broker-7.0.4, qpid-java-broker-7.0.5, qpid-java-broker-7.0.6 >Reporter: Alex Rudyy >Priority: Major > Fix For: qpid-java-broker-7.0.7, qpid-java-broker-8.0.0, > qpid-java-broker-7.1.1 > > > The CVE vulnerabilities > [14718|https://nvd.nist.gov/vuln/detail/CVE-2018-14718], > [CVE-2018-14719|https://nvd.nist.gov/vuln/detail/CVE-2018-14719], > [CVE-2018-14720|https://nvd.nist.gov/vuln/detail/CVE-2018-14720], > [CVE-2018-14721|https://nvd.nist.gov/vuln/detail/CVE-2018-14721] have been > reported against jackson-databind library 2.x versions below 2.9.7. > Whilst Apache Qpid Broker-J distributions include a version of > jackson-databind that is affected by the vulnerability, it is believed that > Apache Qpid Broker-J product itself is NOT AFFECTED by this vulnerability. > This is because Broker-J code never enables Jackson's > polymorphic deserialisation features: specifically it never makes calls to > ObjectMapper#enableDefaultTyping(...) nor does it use TypeResolverBuilders or > annotations that enable the feature. > Though Apache Qpid Broker-J is not affected by the vulnerabilities, this JIRA > will upgrade the dependencies of Broker-J to versions of the jackson-databind > dependencies that are not vulnerable: > * master (upgrade from 2.9.5 to 2.9.8) > * 7.1.x (upgrade from 2.9.5 to 2.9.8) > * 7.0.x (upgrade from 2.8.11.1 to 2.8.11.3) > Please note that no upgrade of jackson-databind dependencies will be done for > 6.0.x and 6.1.x versions. The 6.0.x and 6.1.x brokers can be upgraded to > 7.1.x. -- This message was sent by Atlassian JIRA (v7.6.3#76005) - To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org