Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable FEATURE_SECURE_PROCESSING XML setting by default in 3.x #3203

Closed
wants to merge 4 commits into from
Closed

Enable FEATURE_SECURE_PROCESSING XML setting by default in 3.x #3203

wants to merge 4 commits into from

Conversation

trentdm
Copy link
Contributor

@trentdm trentdm commented Aug 25, 2022

Impact

  • Bug fix (non-breaking change which fixes expected existing functionality)
  • Enhancement/New feature (adds functionality without impacting existing logic)
  • Breaking change (fix or feature that would cause existing functionality to change)

Description

Backport security fix for CVE-2022-0839.

This change mirrors work done in #2384. It is intended to bring the same security fix to Liquibase's 3.x family of releases.

@trentdm trentdm marked this pull request as ready for review August 26, 2022 14:32
@Antehz
Copy link

Antehz commented Aug 30, 2022

Hello, I'd like to know when you're going to merge it, we're really waiting for this fix! Thanks!

@kataggart
Copy link
Contributor

@Antehz we do not typically backport fixes to older versions, so unfortunately at this time we don't have resources to prioritize this request. Are you able to instead upgrade to one of the more recent Liquibase versions that includes the fix? Thanks.

@scott-jackman
Copy link

@Antehz we do not typically backport fixes to older versions, so unfortunately at this time we don't have resources to prioritize this request. Are you able to instead upgrade to one of the more recent Liquibase versions that includes the fix? Thanks.

This issue (#2248) is preventing us from upgrading to the more recent Liquibase versions. Do you have an ETA for when the threading issue will be resolved?

@kataggart
Copy link
Contributor

@scott-jackman thanks for that backgound; I don't have a timeline right now, but your input helps us prioritize #2248. Thanks!

@kataggart kataggart mentioned this pull request Aug 30, 2022
Closed
@westse
Copy link

westse commented Sep 1, 2022

@kataggart Thanks for prioritizing #2248 , that will also unblock us from upgrading. That said, would you consider an exception here to backporting the this fix to help us expedite addressing GHSA-jvfv-hrrc-6q72? The changes appear to affect nothing unless one opts in via property. And there is even a great test!

Anyway, thanks for considering.

@kataggart
Copy link
Contributor

@westse Right not it is not likely, but I will raise it with the team tomorrow and see what they say. Other option is of course fork Liquibase on your side and apply your fix, build it and run with that until #2248 is resolved.

@kataggart kataggart self-assigned this Sep 2, 2022
@kataggart kataggart removed their assignment Nov 16, 2022
@nvoxland
Copy link
Contributor

nvoxland commented Dec 7, 2022

Closing this since #2248 has been resolved and released, and we are not going to be releasing more 3.x versions.

@nvoxland nvoxland closed this Dec 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
Liquibase Open Source
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@trentdm @Antehz @kataggart @scott-jackman @westse @nvoxland