Details
-
Improvement
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
-
None
Description
Looking at git history, there were 5 commits related to updating jackson versions due to various CVEs since 2018. And it seems to get worse more recently.
File this jira to discuss the possibility of removing jackson dependency once for all. I see that jackson is deeply integrated into Hadoop codebase, so not a trivial task. However, if Hadoop is forced to make a new set of releases because of Jackson vulnerabilities, it may start to look not so costly.
At the very least, consider stripping jackson-databind coode, since that's where the majority of CVEs come from.
Attachments
Issue Links
- is related to
-
HADOOP-16487 Update jackson-databind to 2.9.9.2
- Resolved
-
HADOOP-16198 Upgrade Jackson-databind version to 2.9.8
- Resolved
-
HADOOP-16451 Update jackson-databind to 2.9.9.1
- Resolved
-
HADOOP-15482 Upgrade jackson-databind to version 2.9.5
- Resolved
-
HADOOP-16365 Upgrade jackson-databind to 2.9.9
- Resolved
- relates to
-
HADOOP-16891 Upgrade jackson-databind to 2.9.10.3
- Resolved
-
HADOOP-16533 Update jackson-databind to 2.9.9.3
- Resolved
-
HADOOP-16883 update jackon-databind version
- Resolved
1.
|
Remove JsonSerialization from hadoop-common | Open | Unassigned | |||||||||
2.
|
Update jackson-databind to 2.10.3 to relieve us from the endless CVE patches | Resolved | Wei-Chiu Chuang |
|