[jira] [Commented] (OLINGO-1295) jackson upgrade odata-server and odata-client
[ https://issues.apache.org/jira/browse/OLINGO-1295?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16627661#comment-16627661 ] Michael commented on OLINGO-1295: - Information I have is that jackson-core < 2.8.6 is vulnerable to Denial of Service (DoS). > jackson upgrade odata-server and odata-client > - > > Key: OLINGO-1295 > URL: https://issues.apache.org/jira/browse/OLINGO-1295 > Project: Olingo > Issue Type: Improvement > Components: odata2-core, odata4-client >Affects Versions: (Java) V4 4.5.0 >Reporter: Michael >Priority: Minor > > Upgrade Upgrade jackson core, databind, annotations, dataformat-xml, > jaxrs-json-provider. > [https://github.com/apache/olingo-odata4/blob/003f0f4ffa07cbbc7500c1bece37a41813eb670e/pom.xml#L86] -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OLINGO-1295) jackson upgrade odata-server and odata-client
[ https://issues.apache.org/jira/browse/OLINGO-1295?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16626490#comment-16626490 ] Michael commented on OLINGO-1295: - Here's the security vulnerability report against jackson-dataformat-xml ... [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7051] There's one for jackson-core but I am aware of that one only through private channels. I'll let you know if I can provide more information it later. > jackson upgrade odata-server and odata-client > - > > Key: OLINGO-1295 > URL: https://issues.apache.org/jira/browse/OLINGO-1295 > Project: Olingo > Issue Type: Improvement > Components: odata2-core, odata4-client >Affects Versions: (Java) V4 4.5.0 >Reporter: Michael >Priority: Minor > > Upgrade Upgrade jackson core, databind, annotations, dataformat-xml, > jaxrs-json-provider. > [https://github.com/apache/olingo-odata4/blob/003f0f4ffa07cbbc7500c1bece37a41813eb670e/pom.xml#L86] -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OLINGO-1295) jackson upgrade odata-server and odata-client
[ https://issues.apache.org/jira/browse/OLINGO-1295?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16626484#comment-16626484 ] Michael commented on OLINGO-1295: - Here's a PR for the pom change that reproduces the infinite loop in MetadataValidationTest.checkInValidV4XMLMetadataWithNoSchemas() [https://github.com/apache/olingo-odata4/pull/33] I haven't yet worked out a fix. > jackson upgrade odata-server and odata-client > - > > Key: OLINGO-1295 > URL: https://issues.apache.org/jira/browse/OLINGO-1295 > Project: Olingo > Issue Type: Improvement > Components: odata2-core, odata4-client >Affects Versions: (Java) V4 4.5.0 >Reporter: Michael >Priority: Minor > > Upgrade Upgrade jackson core, databind, annotations, dataformat-xml, > jaxrs-json-provider. > [https://github.com/apache/olingo-odata4/blob/003f0f4ffa07cbbc7500c1bece37a41813eb670e/pom.xml#L86] -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OLINGO-1295) jackson upgrade odata-server and odata-client
[ https://issues.apache.org/jira/browse/OLINGO-1295?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16626290#comment-16626290 ] Ramesh Reddy commented on OLINGO-1295: -- Can you debug and submit a patch why there is a infinite loop in the test? > jackson upgrade odata-server and odata-client > - > > Key: OLINGO-1295 > URL: https://issues.apache.org/jira/browse/OLINGO-1295 > Project: Olingo > Issue Type: Improvement > Components: odata2-core, odata4-client >Affects Versions: (Java) V4 4.5.0 >Reporter: Michael >Priority: Minor > > Upgrade Upgrade jackson core, databind, annotations, dataformat-xml, > jaxrs-json-provider. > [https://github.com/apache/olingo-odata4/blob/003f0f4ffa07cbbc7500c1bece37a41813eb670e/pom.xml#L86] -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (OLINGO-1295) jackson upgrade odata-server and odata-client
[ https://issues.apache.org/jira/browse/OLINGO-1295?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16626207#comment-16626207 ] Michael commented on OLINGO-1295: - I have upgraded jackson to 2.9.6 on a fork ... [https://github.com/msgroi/olingo-odata4/commit/d82aac9ee9b86ae3d2186352696d5eeb1b19f9c6] I had to ignore MetadataValidationTest.checkInValidV4XMLMetadataWithNoSchemas(). It runs in an infinite loop. Stack trace shows where it's looping ... "main" #1 prio=5 os_prio=31 tid=0x7f818c00 nid=0x1803 runnable [0x71edf000] java.lang.Thread.State: RUNNABLE at org.apache.olingo.client.core.edm.xml.ClientCsdlEdmx$EdmxDeserializer.doDeserialize(ClientCsdlEdmx.java:79) at org.apache.olingo.client.core.edm.xml.ClientCsdlEdmx$EdmxDeserializer.doDeserialize(ClientCsdlEdmx.java:71) at org.apache.olingo.client.core.edm.xml.AbstractClientCsdlEdmDeserializer.deserialize(AbstractClientCsdlEdmDeserializer.java:60) at com.fasterxml.jackson.databind.ObjectMapper._readMapAndClose(ObjectMapper.java:4001) at com.fasterxml.jackson.databind.ObjectMapper.readValue(ObjectMapper.java:3058) at org.apache.olingo.client.core.serialization.ClientODataDeserializerImpl.toMetadata(ClientODataDeserializerImpl.java:139) at org.apache.olingo.client.core.MetadataValidationTest.checkInValidV4XMLMetadataWithNoSchemas(MetadataValidationTest.java:744) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.junit.runners.model.FrameworkMethod$1.runReflectiveCall(FrameworkMethod.java:47) at org.junit.internal.runners.model.ReflectiveCallable.run(ReflectiveCallable.java:12) at org.junit.runners.model.FrameworkMethod.invokeExplosively(FrameworkMethod.java:44) at org.junit.internal.runners.statements.InvokeMethod.evaluate(InvokeMethod.java:17) at org.junit.runners.ParentRunner.runLeaf(ParentRunner.java:271) at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:70) at org.junit.runners.BlockJUnit4ClassRunner.runChild(BlockJUnit4ClassRunner.java:50) at org.junit.runners.ParentRunner$3.run(ParentRunner.java:238) at org.junit.runners.ParentRunner$1.schedule(ParentRunner.java:63) at org.junit.runners.ParentRunner.runChildren(ParentRunner.java:236) at org.junit.runners.ParentRunner.access$000(ParentRunner.java:53) at org.junit.runners.ParentRunner$2.evaluate(ParentRunner.java:229) at org.junit.internal.runners.statements.RunBefores.evaluate(RunBefores.java:26) at org.junit.runners.ParentRunner.run(ParentRunner.java:309) at org.junit.runner.JUnitCore.run(JUnitCore.java:160) at com.intellij.junit4.JUnit4IdeaTestRunner.startRunnerWithArgs(JUnit4IdeaTestRunner.java:68) at com.intellij.rt.execution.junit.IdeaTestRunner$Repeater.startRunnerWithArgs(IdeaTestRunner.java:47) at com.intellij.rt.execution.junit.JUnitStarter.prepareStreamsAndStart(JUnitStarter.java:242) at com.intellij.rt.execution.junit.JUnitStarter.main(JUnitStarter.java:70 Note that backtracking versions of jackson reveals that the hanging started when upgrading from jackson 2.8.9 to 2.90. Aside from that, all tests pass. Any reason that we should be concerned that jackson 2.9.6 won't work with both odata-client and odata-server? > jackson upgrade odata-server and odata-client > - > > Key: OLINGO-1295 > URL: https://issues.apache.org/jira/browse/OLINGO-1295 > Project: Olingo > Issue Type: Improvement > Components: odata2-core, odata4-client >Affects Versions: (Java) V4 4.5.0 >Reporter: Michael >Priority: Minor > > Upgrade Upgrade jackson core, databind, annotations, dataformat-xml, > jaxrs-json-provider. > [https://github.com/apache/olingo-odata4/blob/003f0f4ffa07cbbc7500c1bece37a41813eb670e/pom.xml#L86] -- This message was sent by Atlassian JIRA (v7.6.3#76005)
