Skip to content

Bump fastjson from 1.2.31 to 1.2.62 in /elasticsearchAction #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Bump fastjson from 1.2.31 to 1.2.62 in /elasticsearchAction #3

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Dec 23, 2019
edited
Loading

Bumps fastjson from 1.2.31 to 1.2.62.

Release notes

Sourced from fastjson's releases.

fastjson 1.2.62版本发布,增加autoType黑名单、增强日期反序列化和JSONPath

国庆期间在家休息,更新一个版本。主要是增加autoType黑名单、增强日期反序列化支持、增强JSONPath支持。

再次声明一下,fastjson的autoType缺省是关闭的,缺省是基于白名单的。autoType黑名单的不断补充是给一些特别场景需要的,没有显式打开autoType的用户,不需要因为安全原因升级到大于1.2.60的版本。

Issues

  1. 增加autoType黑名单
  2. 修复JavaBeanSerializer.processValue兼容问题 #2790
  3. 修复JSONField.unwrapped在toJSON方法中不起作用的问题 #2447
  4. 增强日期定制序列化反序列化的支持,增强dateFormat的支持,新增支持'millis'和'unixtime'两种格式输出和反序列化
  5. 修复某些场景下多级别泛型推导不起作用的问题 #2397
  6. JSONPath.remove方法支持更多语法 #2791
  7. JSONPath复杂表达式支持更多场景 #2743 #2792
  8. 支持$和_开头字段 #2762
  9. 反序列化自动识别日期格式支持新西兰时区 #2754

相关链接

Fastjson发布1.2.61版本,增加AutoType安全黑名单

最近Freebuf有人发表了文章,公布了两个不在autoType黑名单中可以被利用的类,某安全厂商把漏洞定义为高。这里要说明下,autoType默认是关闭的,需要显示配置打开并且依赖特定包的漏洞不应该算是高危漏洞。

欢迎 https://github.com/Omega-Ariston 成为 fastjson的committer。

Issues

  1. 增加autoType安全黑名单
  2. 恢复1.2.60版本SerializeConfig中误删的put方法
  3. 修复JSONField.unwrapped在某些场景属性丢失的问题 #2753
  4. 修复Feature.NonStringKeyAsString在某些场景不生效的问题 #2736
  5. 修复不支持guava ArrayListMultimap的问题 #2430
  6. 修复JSON.parseArray方法不能识别byte[].class和char[].class作为变长参数的问题 #2464
  7. 修复snake_case配置在嵌套时不生效的问题 #2428
  8. 修复BigInteger类属性在超大数时结果不对的问题 #2628
  9. 修复java.sql.Date在某些场景丢失精度的问题

相关链接

fastjson 1.2.60版本发布 修复拒绝服务安全问题

这又是一个BUG修复安全加固版本,增加了AutoType黑名单,修复了一个导致拒绝服务的问题。

安全修复建议

拒绝服务安全漏洞涉及之前所有FASTJSON版本,建议升级到最新版本1.2.60。如果遇到不兼容问题,可以使用如下兼容版本:

1.1.15~1.1.31 -> 1.1.31.sec07 这版本不一样是因为1.1.31.sec06发布后,发现1.1.31版本特有一个的问题,又发布了1.1.31.sec07
1.1.32~1.1.33 -> 1.1.33.sec06 
</tr></table> ... (truncated)
Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Dec 23, 2019
@dependabot dependabot bot mentioned this pull request Dec 23, 2019
Closed
@dependabot dependabot bot force-pushed the dependabot/maven/elasticsearchAction/com.alibaba-fastjson-1.2.62 branch from 2f83cfd to f3a8121 Compare December 23, 2019 10:02
@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Jun 17, 2022

Superseded by #27.

@dependabot dependabot bot closed this Jun 17, 2022
@dependabot dependabot bot deleted the dependabot/maven/elasticsearchAction/com.alibaba-fastjson-1.2.62 branch June 17, 2022 02:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants