Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

logback-test.xml in the Main Avro resources folder can cause runtime issues for applications #379

Closed
kyle-silver opened this issue May 10, 2023 · 11 comments
Closed

logback-test.xml in the Main Avro resources folder can cause runtime issues for applications #379

kyle-silver opened this issue May 10, 2023 · 11 comments
Labels
avro
Milestone
2.15.2

Comments

@kyle-silver
Copy link

Because this test logback file (located here) is in the main directory, it gets packaged and deployed as part of the release artifact. I have some apps running with Spring Boot 2.7.x and Logback and have observed that this test configuration file is getting picked up by Logback and causing the app to fail on startup due to a (perceived) misconfiguration. I believe this can be remediated by moving logback-test.xml to the avro/test/resources directory.

I am happy to open a pull request with this change myself but wanted to file an issue first and hear feedback from the maintainers. I am a huge fan of the work you do on this library
@cowtowncoder
Copy link
Member

cowtowncoder commented May 10, 2023
edited

Sounds like a flaw, unintended so PR (against 2.14 branch so I can merge forward) would be most welcome.
Thank you for reporting this and bonus points for asking before PR!

@kyle-silver
Copy link
Author

Absolutely. One question, though—since that file doesn't exist on the 2.14 branch, will this need a separate commit on the 2.15 branch to remove it once the test file is added?

@kyle-silver kyle-silver mentioned this issue May 11, 2023
Merged
@cowtowncoder
Copy link
Member

Oh ok then just do that for 2.15 branch. I haven't had a chance to check (traveling this week).

techabstraction pushed a commit to techabstraction/jackson-dataformats-binary that referenced this issue May 18, 2023
Move logback-test.xml to test source tree to fix issue FasterXML#379
0646f44
@techabstraction techabstraction mentioned this issue May 18, 2023
Merged
@techabstraction
Copy link
Contributor

Hope you don't mind me raising this PR with reaching out first. Just trying to help out, as we're also experiencing our apps failing on start up.

techabstraction pushed a commit to techabstraction/jackson-dataformats-binary that referenced this issue May 18, 2023
Move logback-test.xml to test source tree to fix issue FasterXML#379
2a645c7
@techabstraction techabstraction mentioned this issue May 18, 2023
Closed
techabstraction pushed a commit to techabstraction/jackson-dataformats-binary that referenced this issue May 18, 2023
Move logback-test.xml to test source tree to fix issue FasterXML#379
8a860f4
@techabstraction techabstraction mentioned this issue May 18, 2023
Closed
cowtowncoder pushed a commit that referenced this issue May 18, 2023
@techabstraction
Move logback-test.xml to test source tree to fix issue #379 (#381)
3245291 
Co-authored-by: Dan Collins <dancollins@expediagroup.com>
@cowtowncoder cowtowncoder added this to the 2.15.2 milestone May 18, 2023
@cowtowncoder cowtowncoder changed the title logback-test.xml in the Main Avro Resources Folder Can Cause Runtime Issues for Applications logback-test.xml in the Main Avro resources folder can cause runtime issues for applications May 18, 2023
@cowtowncoder
Copy link
Member

@techabstraction Not all, thanks for PR! I wish I had remembered to wait for this before 2.15.1 release, but it'll be in 2.15.2.

cowtowncoder added a commit that referenced this issue May 18, 2023
@cowtowncoder
Update release notes wrt #379
92fec4b
@techabstraction
Copy link
Contributor

Thanks @cowtowncoder . Any idea when we can expect 2.15.2? 2.14.3 has a high priority CVE so isn't safe to use.

PRISMA-2023-0067

Priority: High

com.fasterxml.jackson.core_jackson-core package versions before 2.15.0 are vulnerable to Denial of Service (DoS). The package does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended and leads to Uncontrolled Resource Consumption ('Resource Exhaustion').

@cowtowncoder
Copy link
Member

@techabstraction Normally it'd take a while between patches, but "fortunately" there are multiple jar/build issues that are problematic with 2.15.1; as well as one Record-related bug for which I personally need a new version :)

Which is to say I'll probably try to get 2.15.2 released within a week or so.

@techabstraction
Copy link
Contributor

Hi @cowtowncoder . Just checking in, any update on when 2.15.2 will be released?

@cowtowncoder
Copy link
Member

cowtowncoder commented May 30, 2023
edited

This week, today or tomorrow I hope.

EDIT: was released on 2023-05-30.

@SuvaAndiBill
Copy link

Hi,
just to let you know: Also with spring-boot 3.x.x the app fails to start with version 2.15.1.
With version 2.15.2 it's ok again.
Thx for your work.

@cowtowncoder
Copy link
Member

Thank you for verifying @SuvaAndiBill -- too bad this file was included but good things work again.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
avro
Projects
None yet
Milestone
2.15.2
Development

No branches or pull requests
4 participants
@cowtowncoder @techabstraction @kyle-silver @SuvaAndiBill