Uploaded image for project: 'Spark'
  1. Spark
  2. SPARK-20433

Update jackson-databind to 2.6.7.1

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: 2.1.0
    • Fix Version/s: 2.3.0
    • Component/s: Spark Core
    • Labels:
      None

      Description

      There was a security vulnerability recently reported to the upstream jackson-databind project at https://github.com/FasterXML/jackson-databind/issues/1599 which now has a fix released.

      From my reading of that, versions 2.7.9.1, 2.8.8.1, and 2.9.0.pr3 are the first fixed versions in their respectful 2.X branches, and versions in the 2.6.X line and earlier remain vulnerable. UPDATE: now the 2.6.X line has a patch as well: 2.6.7.1 as mentioned at https://github.com/FasterXML/jackson-databind/issues/1599#issuecomment-315486340

      Right now Spark master branch is on 2.6.5: https://github.com/apache/spark/blob/master/pom.xml#L164

      and Hadoop branch-2.7 is on 2.2.3: https://github.com/apache/hadoop/blob/branch-2.7/hadoop-project/pom.xml#L71

      and Hadoop branch-3.0.0-alpha2 is on 2.7.8: https://github.com/apache/hadoop/blob/branch-3.0.0-alpha2/hadoop-project/pom.xml#L74

      We should bump Spark from 2.6.5 to 2.6.7.1 to get a patched version of this library for the next Spark release.

        Attachments

          Activity

            People

            • Assignee:
              srowen Sean R. Owen
              Reporter:
              aash Andrew Ash
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: