[dubbo] branch master updated: add visual-studio-code ignore (#6221)

[mercyblitz]

This is an automated email from the ASF dual-hosted git repository.

mercyblitz pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/dubbo.git


The following commit(s) were added to refs/heads/master by this push:
 new 83afabe  add visual-studio-code ignore (#6221)
83afabe is described below

commit 83afabeda133a4cac2e4e0a55c8b4d69b2b9f4aa
Author: oaoit 
AuthorDate: Tue Jun 2 11:32:12 2020 +0800

add visual-studio-code ignore (#6221)
---
 .gitignore | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.gitignore b/.gitignore
index 15002c4..47be2ad 100644
--- a/.gitignore
+++ b/.gitignore
@@ -19,6 +19,9 @@ target/
 *.iml
 *.iws
 
+# visual-studio-code ignore
+.vscode/
+
 # temp ignore
 *.log
 *.cache

[dubbo] branch master updated (0791c7c -> 6a45acb)

[mercyblitz]

This is an automated email from the ASF dual-hosted git repository.

mercyblitz pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/dubbo.git.


from 0791c7c  fix-6231 (#6253)
 add 6a45acb  fix(registry-nacos):fix nacos service name associated with 
group name (#6227)

No new revisions were added by this update.

Summary of changes:
 .../org/apache/dubbo/registry/nacos/util/NacosNamingServiceUtils.java  | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

[dubbo] branch 2.6.x updated: upgrade fastjson to 1.2.70 (#6255)

[mercyblitz]

This is an automated email from the ASF dual-hosted git repository.

mercyblitz pushed a commit to branch 2.6.x
in repository https://gitbox.apache.org/repos/asf/dubbo.git


The following commit(s) were added to refs/heads/2.6.x by this push:
 new 59320a9  upgrade fastjson to 1.2.70 (#6255)
59320a9 is described below

commit 59320a9eeb6511407cf9cd4033f5d0621b60e94f
Author: 祁晓波 
AuthorDate: Mon Jun 1 17:50:20 2020 +0800

upgrade fastjson to 1.2.70 (#6255)


https://help.aliyun.com/noticelist/articleid/1060343604.html?spm=a2c4g.789004748.n2.6.3f576141SGmGhG

漏洞描述


fastjson采用黑白名单的方法来防御反序列化漏洞，导致当黑客不断发掘新的反序列化Gadgets类时，在autoType关闭的情况下仍然可能可以绕过黑白名单防御机制，造成远程命令执行漏洞。经研究，该漏洞利用门槛较低，可绕过autoType限制，风险影响较大。阿里云应急响应中心提醒fastjson用户尽快采取安全措施阻止漏洞攻击。

影响版本

fastjson <=1.2.68

fastjson sec版本 <= sec9

安全版本

fastjson >=1.2.69

fastjson sec版本 >= sec10
---
 dependencies-bom/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dependencies-bom/pom.xml b/dependencies-bom/pom.xml
index 39f45ec..50e78e2 100644
--- a/dependencies-bom/pom.xml
+++ b/dependencies-bom/pom.xml
@@ -94,7 +94,7 @@
 1.1.7
 2.1.4
 4.5.3
-1.2.67
+1.2.70
 3.4.9
 0.2
 2.12.0

[dubbo] branch master updated: fix-6231 (#6253)

[mercyblitz]

This is an automated email from the ASF dual-hosted git repository.

mercyblitz pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/dubbo.git


The following commit(s) were added to refs/heads/master by this push:
 new 0791c7c  fix-6231 (#6253)
0791c7c is described below

commit 0791c7c8e1e0c3e2e50f7fa67eadfe795dfee60d
Author: kexianjun 
AuthorDate: Mon Jun 1 17:48:55 2020 +0800

fix-6231 (#6253)
---
 .../spring/beans/factory/annotation/ServiceClassPostProcessor.java| 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git 
a/dubbo-config/dubbo-config-spring/src/main/java/org/apache/dubbo/config/spring/beans/factory/annotation/ServiceClassPostProcessor.java
 
b/dubbo-config/dubbo-config-spring/src/main/java/org/apache/dubbo/config/spring/beans/factory/annotation/ServiceClassPostProcessor.java
index ed73be4..b1c9a30 100644
--- 
a/dubbo-config/dubbo-config-spring/src/main/java/org/apache/dubbo/config/spring/beans/factory/annotation/ServiceClassPostProcessor.java
+++ 
b/dubbo-config/dubbo-config-spring/src/main/java/org/apache/dubbo/config/spring/beans/factory/annotation/ServiceClassPostProcessor.java
@@ -68,7 +68,7 @@ import java.util.Map;
 import java.util.Objects;
 import java.util.Set;
 
-import static 
com.alibaba.spring.util.AnnotatedBeanDefinitionRegistryUtils.registerBeans;
+import static com.alibaba.spring.util.BeanRegistrar.registerInfrastructureBean;
 import static com.alibaba.spring.util.ObjectUtils.of;
 import static java.util.Arrays.asList;
 import static 
org.apache.dubbo.config.spring.beans.factory.annotation.ServiceBeanNameBuilder.create;
@@ -126,7 +126,7 @@ public class ServiceClassPostProcessor implements 
BeanDefinitionRegistryPostProc
 public void postProcessBeanDefinitionRegistry(BeanDefinitionRegistry 
registry) throws BeansException {
 
 // @since 2.7.5
-registerBeans(registry, DubboBootstrapApplicationListener.class);
+registerInfrastructureBean(registry, 
DubboBootstrapApplicationListener.BEAN_NAME, 
DubboBootstrapApplicationListener.class);
 
 Set resolvedPackagesToScan = 
resolvePackagesToScan(packagesToScan);
 

[dubbo-go] branch develop updated (a06fbdb -> 4af26b9)

[joezou]

This is an automated email from the ASF dual-hosted git repository.

joezou pushed a change to branch develop
in repository https://gitbox.apache.org/repos/asf/dubbo-go.git.


from a06fbdb  Merge pull request #576 from 
watermelo/fix_file_name_in_metadata
 new 6f321a2  update the comments in metrics
 new 3cd5fab  revert the import block
 new 4af26b9  Merge pull request #547 from 
williamfeng323/feature/metrics-comment-optimise

The 2103 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails.  The revisions
listed as "add" were already present in the repository and have only
been added to this reference.


Summary of changes:
 metrics/prometheus/reporter.go | 9 -
 metrics/reporter.go| 2 +-
 2 files changed, 5 insertions(+), 6 deletions(-)

[dubbo] branch master updated: upgrade fastjson to 1.2.70 (#6254)

[wangxin]

This is an automated email from the ASF dual-hosted git repository.

wangxin pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/dubbo.git


The following commit(s) were added to refs/heads/master by this push:
 new fbe4d7e  upgrade fastjson to 1.2.70 (#6254)
fbe4d7e is described below

commit fbe4d7e3badf3a9ee7464a5a0e11459699fbbddd
Author: 祁晓波 
AuthorDate: Mon Jun 1 14:10:03 2020 +0800

upgrade fastjson to 1.2.70 (#6254)


https://help.aliyun.com/noticelist/articleid/1060343604.html?spm=a2c4g.789004748.n2.6.3f576141SGmGhG

漏洞描述


fastjson采用黑白名单的方法来防御反序列化漏洞，导致当黑客不断发掘新的反序列化Gadgets类时，在autoType关闭的情况下仍然可能可以绕过黑白名单防御机制，造成远程命令执行漏洞。经研究，该漏洞利用门槛较低，可绕过autoType限制，风险影响较大。阿里云应急响应中心提醒fastjson用户尽快采取安全措施阻止漏洞攻击。

影响版本

fastjson <=1.2.68

fastjson sec版本 <= sec9

安全版本

fastjson >=1.2.69

fastjson sec版本 >= sec10
---
 dubbo-dependencies-bom/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dubbo-dependencies-bom/pom.xml b/dubbo-dependencies-bom/pom.xml
index 8c4215d..eae1bc8 100644
--- a/dubbo-dependencies-bom/pom.xml
+++ b/dubbo-dependencies-bom/pom.xml
@@ -97,7 +97,7 @@
 2.1.4
 4.5.3
 4.4.6
-1.2.68
+1.2.70
 3.4.13
 4.0.1
 2.12.0