Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-15299

Bump Hadoop's Jackson 2 dependency 2.9.x

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 3.1.0, 3.2.0
    • 3.2.0
    • None
    • None

    Description

      There are a few new CVEs open against Jackson 2.7.x. It doesn't (necessarily) mean Hadoop is vulnerable to the attack - I don't know that it is, but fixes were released for Jackson 2.8.x and 2.9.x but not 2.7.x (which we're on). We shouldn't be on an unmaintained line, regardless. HBase is already on 2.9.x, we have a shaded client now, the API changes are relatively minor and so far in my testing I haven't seen any problems. I think many of our usual reasons to hesitate upgrading this dependency don't apply.

      Attachments

        1. HADOOP-15299.001.patch
          9 kB
          Sean Mackrory

        Issue Links

          causes

          Bug - A problem which impairs or prevents the functions of the product. HADOOP-15389 Hadoop contains both Jackson 2.9.4 and 2.7.8 jars

          • Blocker - Blocks development and/or testing work, production could not run
          • Resolved
          is depended upon by

          Improvement - An improvement or enhancement to an existing feature or task. HADOOP-9991 Fix up Hadoop POMs, roll up JARs to latest versions

          • Major - Major loss of function.
          • Open

          Activity

            People

              mackrorysd Sean Mackrory
              mackrorysd Sean Mackrory
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: