when we release new version to fix CVE-2021-27568

[qiuyeziyaya]

hi, when we release new version to fix CVE-2021-27568. Now, the latest version is 2.3 in maven repository.
About CVE-2021-27568 :An issue was discovered in netplex json-smart-v1 through 2015-10-23 and json-smart-v2 through 2.4. An exception is thrown from a function, but it is not caught, as demonstrated by NumberFormatException. When it is not caught, it may cause programs using the library to crash or expose sensitive information.

[tloltman]

Hi, we would also greatly benefit from getting this fix (#61) in a new release. Please let us know if this will happen at some point.

[iteijeiro]

Hi, can you share with us a rough estimation for the release date of a version which includes this fix? Thanks a lot!

[UrielCh]

Up to 36 hours?

[coheigea]

@UrielCh Would it be possible to downgrade Java 11 to Java 8 for this release, so those of us still on Java 8 have a fix for this CVE?

[UrielCh]

So you suggest me to release Json-smart with a JDK 8.
What is the proper way to publish a java project? can we release multiple versions for different JREs?
Is setting the target version to 8 is enough?

[coheigea]

@UrielCh I submitted a PR here - #63
Apart from this I recommend building + releasing with a JDK8 instance. You don't need to release multiple versions for different JREs, releasing with JDK 8 will work for every subsequent Java version.

[UrielCh]

thx for your comment, I will check that in a few hours.
PS: java 1.6 is completely dead ?

[coheigea]

Yes: https://www.oracle.com/java/technologies/java-se-support-roadmap.html

[UrielCh]

The release is done (synchronization use to take hours).
I'm waiting for your feedback.

and then... I will uninstall java for a couple of years...

[sirocchj]

I can't find any new release in maven central yet https://repo1.maven.org/maven2/net/minidev/json-smart/ 🙁

[UrielCh]

I made the release from https://oss.sonatype.org/

I do not know how long it should take.

[UrielCh]

I'm releasing it again.

with the following steps:

• configure my maven setting.json
• configure my GPG environement & key
• disable the UTF-8 test they looks not to pass with my openjdk-11
• mvn clean deploy -P release-sign-artifacts
• my artefact is now released in ' https://oss.sonatype.org/service/local/staging/deploy/maven2/net/minidev/'
• I have A Repository named netminidev-1055 (net.minidev), User-Agent: Apache-Maven/3.6.0 (Java 11.0.9.1; Linux 5.4.106-1-pve)
• I close the staged repository.
• I can now Release or Drop the repository, I Release it, but not check drop at completion this time.
• staging repo url: https://oss.sonatype.org/content/repositories/netminidev-1055/
• I can now see the following errors:

Event: Failed: Repository Writable
typeId	RepositoryWritePolicy
failureMessage	Artifact updating: Repository ='releases:Releases' does not allow updating artifact='/net/minidev/json-smart-action/2.3/json-smart-action-2.3-javadoc.jar'
failureMessage	Artifact updating: Repository ='releases:Releases' does not allow updating artifact='/net/minidev/json-smart-action/2.3/json-smart-action-2.3.jar'
failureMessage	Artifact updating: Repository ='releases:Releases' does not allow updating artifact='/net/minidev/json-smart-action/2.3/json-smart-action-2.3-sources.jar'
failureMessage	Artifact updating: Repository ='releases:Releases' does not allow updating artifact='/net/minidev/json-smart-action/2.3/json-smart-action-2.3.pom'

it's look like I have no more access to my own net.minidev ...

Any hints ?