New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Upgrade Netty to 4.1.73.Final #6769
Closed
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
> 16th of December, 2021, Release of version 1.2.9 We note that the vulnerability mentioned in CVE-2021-42550 requires write access to logback's configuration file as a prerequisite. Please understand that log4Shell and CVE-2021-42550 are of different severity levels. In response to CVE-2021-42550 (aka LOGBACK-1591) we have decided to make the following steps. 1) Hardened logback's JNDI lookup mechanism to only honor requests in the java: namespace. All other types of requests are ignored. Many thanks to Michael Osipov for suggesting this change and providing the relvant PR. 2) SMTPAppender was hardened. 3) Temporarily removed DB support for security reasons. 4) Removed Groovy configuration support. As logging is so pervasive and configuration with Groovy is probably too powerful, this feature is unlikely to be reinstated for security reasons. We note that the aforementioned vulnerability requires write access to logback's configuration file as a prerequisite. Please understand that log4Shell/CVE-2021-44228 and CVE-2021-42550 are of different severity levels. A successul RCE attack with CVE-2021-42550 requires all of the following conditions to be met: write access to logback.xml use of versions < 1.2.9 reloading of poisoned configuration data, which implies application restart or scan="true" set prior to attack As an additional extra precaution, in addition to upgrading to logback version 1.2.9, we also recommend users to set their logback configuration files as read-only.
* Add new `@AccessorsStyle` annotation This annotation is used to explicitly tell Micronaut that the getters and setters for a Java Bean are not named in a standard way, i.e., using get/set prefix. At this moment we only do something for NONE style which is the one used by Lombok "fluent" accessors. See micronaut-projects/micronaut-openapi#593 * New AccessorsStyle annotation with custom read/write prefixes * Support `@ConfigurationProperties` for classes and interfaces * Use getValue instead of findAnnotation * Alias AccessorsStyle::writePrefixes in `@ConfigurationBuilder` * Add documentation * Add `since` and nullability annotations * Do not reference Lombok in docs * Add docs for bean introspections
This commit introduces loading of "static optimizations" via service loading. The reason we have to do this is, again, _ordering_. When implementing AOT optimizations for lambdas, we realized that it was possible for some classes on classpath to call the `SoftServiceLoader` in a static initializer, _before_ the static optimizations were set. The consequence of doing this is that once the AOT optimizer has optimized service loading, then no service would be found because when this call is made, the optimizations are not injected yet. As a consequence, we also introduced a sanity check to make sure that the static optimizations `get()` method are only called _after_ the `set()` method was called. It is illegal to set an optimization after the first consumer has read its state. Ideally, we should get rid of static initializers in beans, but there's a long way to go. This commit therefore introduces a pragmatic solution to make sure that optimizations are always set before any consumer accesses them. This will also require a change in Micronaut AOT to use this new API, instead of injecting optimizations via a static block in a generated context configurer.
* Constant property sources shouldn't all be loaded This commit fixes a bug in how "constant" property sources are loaded. Constant property sources are property sources which are generated by Micronaut AOT, for example by converting YAML configuration files to Java. Once they are converted, they are added as property sources. However, if more than one configuration file is converted, for example if we convert `application.yml` and `application-test.yml`, then both configurations would be applied at startup, even if the `test` environment isn't set. This commit fixes the bug by making sure that the constant property sources are filtered by active environments. See micronaut-projects/micronaut-aot#37 * Add test for constant property sources * Get rid of the special case for `default` Instead, systematically add the "default" property source in the list.
Defining a @nullable @inherited annotation class does not mean the nullability was inherited by sub classes. The issue is that we were not checking the stereotypes when checking for nullability.
Co-authored-by: jameskleeh <james.kleeh@gmail.com>
Co-authored-by: jameskleeh <james.kleeh@gmail.com>
The file watcher required an EmbeddedServer to be enabled. If you create a Kafka app with no http enabled, ie: mn create-messaging-app messaging-test --features kafka then you get a MessagingApplication in place of an EmbeddedServer. This change moves the requirement up to an EmbeddedApplication<?> instead of a specific EmbeddedServer implementation of it, so we listen for restart events for that type.
* Delay response for `Mono` bodies of `HttpResponse` return values Before this patch, Mono handling would only be applied when Mono is used as a direct return type, not when it is wrapped in a `HttpResponse`, such as `HttpResponse.ok(Mono.just("foo"))`. This patch delays the response until the wrapped Mono has completed, to match the behavior of returning `Mono.just("foo")` directly. The purpose of this change is that errors in the Mono will now be handled by the `ExceptionHandler`, not as a write error. Fixes #6677 * fix test case * test for multiple items in reactive exception handler
This matches `RouteExecutor` behavior when there is no `@Produces` annotation. Fixes #6724
* add serde to BOM * add bom entry * bump to M3
Test failure not related to this change |
graemerocher
approved these changes
Jan 18, 2022
Superseded by #6774 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.