New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable FEATURE_SECURE_PROCESSING XML setting by default in 3.x #3203
Conversation
Hello, I'd like to know when you're going to merge it, we're really waiting for this fix! Thanks! |
@Antehz we do not typically backport fixes to older versions, so unfortunately at this time we don't have resources to prioritize this request. Are you able to instead upgrade to one of the more recent Liquibase versions that includes the fix? Thanks. |
This issue (#2248) is preventing us from upgrading to the more recent Liquibase versions. Do you have an ETA for when the threading issue will be resolved? |
@scott-jackman thanks for that backgound; I don't have a timeline right now, but your input helps us prioritize #2248. Thanks! |
@kataggart Thanks for prioritizing #2248 , that will also unblock us from upgrading. That said, would you consider an exception here to backporting the this fix to help us expedite addressing GHSA-jvfv-hrrc-6q72? The changes appear to affect nothing unless one opts in via property. And there is even a great test! Anyway, thanks for considering. |
Closing this since #2248 has been resolved and released, and we are not going to be releasing more 3.x versions. |
Impact
Description
Backport security fix for CVE-2022-0839.
This change mirrors work done in #2384. It is intended to bring the same security fix to Liquibase's 3.x family of releases.