-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
reverting jackson version bump for sql #2978
reverting jackson version bump for sql #2978
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
@jerrypeng this doesn't need to be backported to 2.2.1, right? |
@merlimat yes |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
umm.. instead reverting, can't we make fix in presto distribution because that's what we want ultimately. I think jackson-databind upgrade is somewhat required due to vulnerability issue and multiple org including Oath enforces to use fixed version.
if you really don't want to fix it in presto right now, then let's upgrade to 2.8.11.1 which also has the fix.
Agreed with @rdhabalia. |
@rdhabalia sounds good, I have changed the jackson databind dependency to be 2.8.11.1 to include the fix for the vulnerability. The current presto version we use is tested with jackson 2.8.x.x so I would rather keep that version for now until presto releases a version using jackson 2.9.x.x |
<jackson.version>2.8.11</jackson.version> | ||
<!--fix Security Vulnerabilities--> | ||
<!--https://www.cvedetails.com/vulnerability-list/vendor_id-15866/product_id-42991/Fasterxml-Jackson-databind.html--> | ||
<jackson.databind.version>2.8.11.1</jackson.databind.version> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why can't we use jackson.version
for all jackson dependencies ? I don't think there will be any issue because 2.8.11.1
has only data-bind change on top of 2.8.11
. So, we might not need two separate versions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rdhabalia there is only 2.8.11.1 for databind, there isn't that version for other jackson dependencies that aren't effect by this vulnerability.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hmm.. I see.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@rdhabalia This is just for presto, the rest of our modules are still with 2.9.x
Motivation
Bumping Jackson version to 2.9.7 breaks the Presto pulsar connector since the presto version we are using packages Jackson 2.8.1 via Airlift.
In the latest version of Airlift (version 88), Jackson 2.8.1 is packaged but presto is yet to release a version with the latest Airlift version. We will have to wait for a presto version that includes that version or later of Airlift.
I also added additional checks to presto pulsar integration test that covers that functionality that was broken because of this issue