1. Deployment projects
  2. Deploy Trunk Nightly
  3. Releases

Release: openmrs-trunk-3001

Deploys nightly Demo and publishes nightly to sourceforge

Commits

Comparison is available only for releases created from the same branch as this release.

This release
Author Commit Message Commit date
Ian Bacher Ian Bacher a934e57ba1fdea705e511f94f19ef54b8d34bccb Fix the CI errors
dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> 7d117be340b59093e3c0babce08f4fad32576db1 maven(deps): bump javassist from 3.29.1-GA to 3.29.2-GA (#4149)
Bumps [javassist](https://github.com/jboss-javassist/javassist) from 3.29.1-GA to 3.29.2-GA.
- [Release notes](https://github.com/jboss-javassist/javassist/releases)
- [Changelog](https://github.com/jboss-javassist/javassist/blob/master/Changes.md)
- [Commits](https://github.com/jboss-javassist/javassist/commits)

---
updated-dependencies:
- dependency-name: org.javassist:javassist
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Ian Bacher Ian Bacher 8c5fef050f47a4a1aca2bb6bd6bc701e5284abd5 Fix: (semi-speculative) resolve errors on CI
dkayiwa <kayiwadaniel@gmail.com> dkayiwa <kayiwadaniel@gmail.com> fa5aa83012ccbff46c86f0f101885dd4f68cef8c TRUNK-5870 Soundex and UUID extensions for PostgreSQL
dkayiwa <kayiwadaniel@gmail.com> dkayiwa <kayiwadaniel@gmail.com> 0b7c00d5eced4b3483ebdf0bbd69088093293b27 Fix: org.postgresql.util.PSQLException: ERROR: column "voided" is of type boolean but expression is of type integer
Himabindu T <tbindu@thoughtworks.com> Himabindu T <tbindu@thoughtworks.com> 9f6847ed5525e83b4abf97f4315b54bbabe5461e BAH-1947: Sort patient identifier in Lucene results (#4145)
Jonathan Leitschuh <jonathan.leitschuh@gmail.com> Jonathan Leitschuh <jonathan.leitschuh@gmail.com> 8e435b3355733f767c89b8ce3409e17ab400f811 vuln-fix: Zip Slip Vulnerability (#4144)
This fixes a Zip-Slip vulnerability.

This change does one of two things. This change either

1. Inserts a guard to protect against Zip Slip.
OR
2. Replaces `dir.getCanonicalPath().startsWith(parent.getCanonicalPath())`, which is vulnerable to partial path traversal attacks, with the more secure `dir.getCanonicalFile().toPath().startsWith(parent.getCanonicalFile().toPath())`.

For number 2, consider `"/usr/outnot".startsWith("/usr/out")`.
The check is bypassed although `/outnot` is not under the `/out` directory.
It's important to understand that the terminating slash may be removed when using various `String` representations of the `File` object.
For example, on Linux, `println(new File("/var"))` will print `/var`, but `println(new File("/var", "/")` will print `/var/`;
however, `println(new File("/var", "/").getCanonicalPath())` will print `/var`.

Weakness: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Severity: High
CVSSS: 7.4
Detection: CodeQL (https://codeql.github.com/codeql-query-help/java/java-zipslip/) & OpenRewrite (https://public.moderne.io/recipes/org.openrewrite.java.security.ZipSlip)

Reported-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>
Signed-off-by: Jonathan Leitschuh <Jonathan.Leitschuh@gmail.com>

Bug-tracker: https://github.com/JLLeitschuh/security-research/issues/16

Co-authored-by: Moderne <team@moderne.io>

Co-authored-by: Moderne <team@moderne.io>
dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> d9de1cbf1bfc43de462a5fc7f3c5f553d6f8aa1f github-actions(deps): bump actions/checkout from 2 to 3 (#4147)
Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v2...v3)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Siva Reddy <sivareddy.pathuri@thoughtworks.com> Siva Reddy <sivareddy.pathuri@thoughtworks.com> f7e2e474d9e8b4915fd99d12738b17070e501fbc Siva Reddy | BAH-2274 | Support for Java8 DateTime in jackson (#4146)