Uploaded image for project: 'Spark'
  1. Spark
  2. SPARK-20433

Update jackson-databind to 2.6.7.1

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Minor
    • Resolution: Fixed
    • 2.1.0
    • 2.3.0
    • Spark Core
    • None

    Description

      There was a security vulnerability recently reported to the upstream jackson-databind project at https://github.com/FasterXML/jackson-databind/issues/1599 which now has a fix released.

      From my reading of that, versions 2.7.9.1, 2.8.8.1, and 2.9.0.pr3 are the first fixed versions in their respectful 2.X branches, and versions in the 2.6.X line and earlier remain vulnerable. UPDATE: now the 2.6.X line has a patch as well: 2.6.7.1 as mentioned at https://github.com/FasterXML/jackson-databind/issues/1599#issuecomment-315486340

      Right now Spark master branch is on 2.6.5: https://github.com/apache/spark/blob/master/pom.xml#L164

      and Hadoop branch-2.7 is on 2.2.3: https://github.com/apache/hadoop/blob/branch-2.7/hadoop-project/pom.xml#L71

      and Hadoop branch-3.0.0-alpha2 is on 2.7.8: https://github.com/apache/hadoop/blob/branch-3.0.0-alpha2/hadoop-project/pom.xml#L74

      We should bump Spark from 2.6.5 to 2.6.7.1 to get a patched version of this library for the next Spark release.

      Attachments

        Activity

          People

            srowen Sean R. Owen
            aash Andrew Ash
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: