(2.6) Backport all CVE fixes up to 2.9.10.6 #2864
Conversation
|
Note: We have long-term plans that prevent these patch backports from being necessary (at least, within the AWS SDK for Java ecosystem), but in the medium term this seems to be the cheapest option for our customers that we can come up with. |
|
Happy to merge these, but one thing I will note is that I do not have current plans to make releases from branches prior to 2.9 at this point (2.9 releases will end by end of 2020 as well). I am not dead set against making a release but it is some effort with limited upside. I do note however that at least the latest 2.6 micro-patch (2.6.7.3) is being used by some projects (unlike latest 2.7) so I guess that is something. |
|
Thanks, I really appreciate it. I understand that it's some effort to release old versions of software. We don't have any customers demanding this fix - we're just being proactive with these patching efforts - so we're not asking for a micro-patch to be released. If customers start demanding it of us (while we work on the long-term plans to move off of 2.6, of course), is there a way we can assist with actually releasing a micro-patch of 2.6? |
|
@millems thank you! I wish I knew of a way to delegate some of the access rights but unfortunately at this point I don't think that is easy. What I can do is to create a placeholder issue in which to add notes and do "voting" (whoever would want the release can use thumbs up). I could then consider syncing one-off release with 2.9.10.x micro-patch -- there will be at least one more. Doing both at same time makes things bit more efficient, less context switching and so on. |
|
See: #2866 2866 |
Motivation: Jackson-2.6 is still widely used, despite being deprecated (including in the AWS SDK for Java 1.11.x). Until those consumers can migrate to a supported version of Jackson-2.6, this patch will protect those customers from the CVEs currently open against 2.6.7.3.
A similar change was made as part of 2.6.7.3 with similar motivation: a3939d3