when we release new version to fix CVE-2021-27568

[qiuyeziyaya]

hi, when we release new version to fix CVE-2021-27568. Now, the latest version is 2.3 in maven repository.
About CVE-2021-27568 :An issue was discovered in netplex json-smart-v1 through 2015-10-23 and json-smart-v2 through 2.4. An exception is thrown from a function, but it is not caught, as demonstrated by NumberFormatException. When it is not caught, it may cause programs using the library to crash or expose sensitive information.

[tloltman]

Hi, we would also greatly benefit from getting this fix (#61) in a new release. Please let us know if this will happen at some point.

[iteijeiro]

Hi, can you share with us a rough estimation for the release date of a version which includes this fix? Thanks a lot!

[UrielCh]

Up to 36 hours?

[coheigea]

@UrielCh Would it be possible to downgrade Java 11 to Java 8 for this release, so those of us still on Java 8 have a fix for this CVE?

[UrielCh]

So you suggest me to release Json-smart with a JDK 8.
What is the proper way to publish a java project? can we release multiple versions for different JREs?
Is setting the target version to 8 is enough?

[coheigea]

@UrielCh I submitted a PR here - #63
Apart from this I recommend building + releasing with a JDK8 instance. You don't need to release multiple versions for different JREs, releasing with JDK 8 will work for every subsequent Java version.

[UrielCh]

thx for your comment, I will check that in a few hours.
PS: java 1.6 is completely dead ?

[coheigea]

Yes: https://www.oracle.com/java/technologies/java-se-support-roadmap.html

[UrielCh]

The release is done (synchronization use to take hours).
I'm waiting for your feedback.

and then... I will uninstall java for a couple of years...

[sirocchj]

I can't find any new release in maven central yet https://repo1.maven.org/maven2/net/minidev/json-smart/ 🙁

[UrielCh]

I made the release from https://oss.sonatype.org/

I do not know how long it should take.

[UrielCh]

I'm releasing it again.

with the following steps:

• configure my maven setting.json
• configure my GPG environement & key
• disable the UTF-8 test they looks not to pass with my openjdk-11
• mvn clean deploy -P release-sign-artifacts
• my artefact is now released in ' https://oss.sonatype.org/service/local/staging/deploy/maven2/net/minidev/'
• I have A Repository named netminidev-1055 (net.minidev), User-Agent: Apache-Maven/3.6.0 (Java 11.0.9.1; Linux 5.4.106-1-pve)
• I close the staged repository.
• I can now Release or Drop the repository, I Release it, but not check drop at completion this time.
• staging repo url: https://oss.sonatype.org/content/repositories/netminidev-1055/
• I can now see the following errors:

Event: Failed: Repository Writable
typeId	RepositoryWritePolicy
failureMessage	Artifact updating: Repository ='releases:Releases' does not allow updating artifact='/net/minidev/json-smart-action/2.3/json-smart-action-2.3-javadoc.jar'
failureMessage	Artifact updating: Repository ='releases:Releases' does not allow updating artifact='/net/minidev/json-smart-action/2.3/json-smart-action-2.3.jar'
failureMessage	Artifact updating: Repository ='releases:Releases' does not allow updating artifact='/net/minidev/json-smart-action/2.3/json-smart-action-2.3-sources.jar'
failureMessage	Artifact updating: Repository ='releases:Releases' does not allow updating artifact='/net/minidev/json-smart-action/2.3/json-smart-action-2.3.pom'

it's look like I have no more access to my own net.minidev ...

Any hints ?

[sirocchj]

Looks like it's complaining that you're trying to push 2.3 and it won't allow you to as it's already released. You'd need to bump the version in the build by the looks of it

Specifically json-smart-action/pom.xml line 6 is saying the parent is 2.3 and iirc maven will then make the current inherit that version. This could be a problem somewhere else too but I'm not sure

[UrielCh]

Let me bump... everything...
JUnit 5 change parameter order .... thats going to be long...

[UrielCh]

just release:

json-smart-action 2.4.1
json-smart 2.4.1
minidev-parent 2.4.1
accessors-smart 1.3
All versions number increased.
no more JUnit 4, I use JUnit 5

but I do not think it works.

[sirocchj]

Something's there :) https://repo1.maven.org/maven2/net/minidev/json-smart/2.4.1/

[UrielCh]

nice.

If you have some change to ask, do it now.

or switch to Typescript as I did :)

[UrielCh]

CVE-2021-27568 is now fully fixed in

• json-smart(v2) for java 1.8 +
• json-smart(v1) for java 1.6 +
• json-smart-mini for java 1.6 +

[dpeger]

@UrielCh is it possible to get patch for version 2.3 for this fix? There seem to be many other libraries using this project and especially spring-boot won't introduce new major or minor versions of dependencies for maintenance branches.

see spring-projects/spring-boot#25946 (comment)

[UrielCh]

Wait and see your fork / PR

[dpeger]

@UrielCh I think you need to create a new branch in the upstream repo based on v2.3 otherwise I cannot create a PR for this branch.

[UrielCh]

choose your commit id I will give you a new branch.

there is no breaking change between 2.3, 2.4 and 2.5, so branching a 2.3.X from the master is not a big deal.

[UrielCh]

Everything is now available on maven repo.

[r0bb3n]

Everything is now available on maven repo.

I can't find the version 2.3.1 neither on mvnrepository.com nor on oss.sonatype.org

🤔

[UrielCh]

V 2.3.1 had been published today.

[r0bb3n]

Thanks, found it on oss.sonatype.org now. Automated mirroring process to Maven Central shouldn't take that long I guess. Thank you.