Bug 1389805 - [LLNL 7.4 FEAT] Rebase jansson to at least 2.10
Summary: [LLNL 7.4 FEAT] Rebase jansson to at least 2.10
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: jansson
Version: 7.3
Hardware: x86_64
OS: Linux
Target Milestone: rc
: 7.4
Assignee: Xin Long
QA Contact: BaseOS QE Security Team
Ioanna Gkioka
Depends On:
Blocks: 1300696 1300697 1384121 1384257 1399228 1403375 1425715 1446211
TreeView+ depends on / blocked
Reported: 2016-10-28 17:07 UTC by Ben Woodard
Modified: 2017-08-01 12:41 UTC (History)
15 users (show)

Fixed In Version: jansson-2.10-1.el7
Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
_jansson_ rebased to version 2.10 The *jansson* library has been updated to version 2.10, which provides several bug fixes and enhancements over the previous version. Notably, interfaces have been added to support the *clevis*, *tang* and *jose* applications.
Clone Of:
Last Closed: 2017-08-01 12:41:57 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2195 0 normal SHIPPED_LIVE jansson enhancement update 2017-08-01 16:09:05 UTC

Description Ben Woodard 2016-10-28 17:07:40 UTC
Description of problem:

We are migrating from RHEL6 to RHEL7. Jansson is in EPEL for RHEL6 but it is:
jansson-2.6-1.el6.i686.rpm  so many developers have been writing code based upon the 2.6 API. However, in RHEL7 there is jansson-2.4-6.el7.x86_64.rpm

One of the problems with this is developers have been using json_array_foreach() which no longer exists. There are other problems but that is the most evident.

EPEL with its looser rebase requirements is no longer an option because Jansson is now in the main distro.

The 2.4 version is known to have weak hash functions: http://www.digip.org/blog/2014/04/jansson-2.6-released.html and so it would be good to not be subject to that weakness. While investigating that problem for this ticket, I found: https://bugzilla.redhat.com/show_bug.cgi?id=1063831 but we are not entirely sure that addresses the same problem. Even if the fix was backported to 2.4 then that could create problems with the internal API versioning in the library. 

Jansson as with many other simple libraries exports its "API Version" via preprocessor macros, e.g. JANSSON_VERSION_HEX or similar, to allow calling code to determine features, work around issues, etc. By backporting fixes, you may be violating those tests and confusing applications that make use of it. Someone could add a w/a to their code for the patched security update based on JANSSON_VERSION, which would now be incorrect since RH has broken the contract of the #define

jansson 2.4 provides libjansson.so.4.4.0 and jansson 2.6 provides libjansson.so.4.6.0, so they should be are ABI compatible. It is just that 2.6 also adds some functions used by developers here.

Additional info:
We did see: https://bugzilla.redhat.com/show_bug.cgi?id=1177645 which was closed won't fix but the requestor didn't really provide a good reason why they wanted the newer version of jansson. As stated above our business case is that RHEL7's 2.4 is a missing functions that developers relied on when developing on using EPEL'2.6 version of the library and uncertainty as to whether the weak hash functions problem has been addressed fully and difficulty in testing in code whether the version being used is a weak version of a suitably strong one.

Comment 1 Ben Woodard 2016-10-28 17:12:19 UTC
Customer is also willing to accept a SCL version with a new library if the risk is determined to be too high to rebase the disto version.

Comment 2 Ben Woodard 2016-10-28 17:21:44 UTC
Another missing feature that is impacting developers here are the json_pack/unpack functions which support of printf-like "format specifiers". As can be seen from: https://jansson.readthedocs.io/en/2.8/apiref.html#building-values quite a large number of useful ones were added between 2.4 and 2.6

Comment 10 Xin Long 2016-12-12 08:13:55 UTC
Hi, Amit
I built a rpm for rhel7.

can you run all the libteam/teamd test cases against it with beaker job ?
(it maybe just need to "rpm -Uvh" before running the cases.)


Comment 12 Amit Supugade 2016-12-22 16:40:35 UTC
Hi Xin,
I ran team tests with rpm in #comment10, tests look good. Thanks!

Comment 22 Amit Supugade 2017-04-17 14:33:54 UTC
Ran team tests with 'jansson-2.10-1.el7' as requested by Xin, tests look good. Thanks!

Comment 23 Tomas Dolezal 2017-05-29 11:45:28 UTC
verified integration with libnftnl-1.0.6-6.el7.x86_64 and nftables-0.6-4.el7.x86_64
seems to work correctly with jansson-2.10-1.el7.x86_64

command tested with both versions: nft export json
no difference observed for:
# nft list ruleset
table ip ip_table {
	chain filter_chain_input {
		type filter hook prerouting priority 0; policy accept;
		iifname "vet_cs_server" ip length != 100-200 ip protocol icmp drop
		iifname "vet_cs_server" ip length 84-90 ip protocol icmp drop
		iifname "vet_cs_server" ip length 80-90 ip protocol icmp drop

Comment 24 Xin Long 2017-05-31 09:43:44 UTC
Thanks Amit, Tomas.

Set it verified, since Amit and Tomas have done the necessary tests against it.

Comment 25 errata-xmlrpc 2017-08-01 12:41:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.