[HADOOP-18587] upgrade to jettison 1.5.3 to fix CVE-2022-40150 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Task
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 3.4.0, 3.3.5
Fix Version/s: 3.4.0, 3.3.5
Component/s: common
Labels:
- pull-request-available

Target Version/s:

3.4.0, 3.3.5
Hadoop Flags:

Reviewed

Description

https://github.com/advisories/GHSA-x27m-9w8j-5vcw

https://github.com/jettison-json/jettison/releases

v1.5.2 is flagged as fixing a CVE but a v1.5.3 was quickly released and appears ti fix some regressions caused by v1.5.2.
Many hadoop tests fail when jettison 1.5.2 is used.

Attachments

Issue Links

is related to

HADOOP-18676 Include jettison as direct dependency of hadoop-common

Resolved

relates to

HADOOP-18468 upgrade jettison json jar due to fix CVE-2022-40149

Resolved

HADOOP-18689 Bump jettison from 1.5.3 to 1.5.4 in /hadoop-project

Resolved

links to

GitHub Pull Request #5270

GitHub Pull Request #5507

Activity

People

Assignee:: PJ Fanning

Reporter:: PJ Fanning

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 03/Jan/23 22:50

Updated:: 27/Jan/24 08:51

Resolved:: 06/Jan/23 23:44