Uploaded image for project: 'Flink'
  1. Flink
  2. FLINK-21544

Upgrade Jackson databind version from 2.10.1 used in, at least, Flink Python jar

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Duplicate
    • None
    • None
    • None
    • None

    Description

      Hi everyone, in a similar manner to https://issues.apache.org/jira/browse/HADOOP-17555 I have done a Twistlock container scan and am looking at any dependencies we can upgrade to remediate any security issues that may be present.

       

      One such contender is this: 

      "version": "2.10.1",
      "name": "com.fasterxml.jackson.core_jackson-databind",
      "path": "/opt/flink/opt/flink-python_2.11-1.11.3.jar"

       

      and so I'm wondering if we can upgrade this version to, say, 2.10.5.1, 2.12.1, or 2.11.4? Major bug because - surely CVEs in 2.10.1; it is quite old now as well (see https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-core/2.10.1)

       

      Attachments

        Issue Links

          duplicates

          Improvement - An improvement or enhancement to an existing feature or task. FLINK-21020 Bump Jackson to 2.10.5[.1] / 2.12.1

          • Major - Major loss of function.
          • Closed

          Activity

            People

              Unassigned Unassigned
              aroberts Adam Roberts
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: