[SPARK-38665][BUILD] Upgrade jackson due to CVE-2020-36518 #35981
Conversation
|
@pan3793 Hi, I just got a PR from Snyk on my forked repo. They - Snyk will do some additional changes to fix this issue. |
HyukjinKwon
changed the title
| <dependency> | ||
| <groupId>com.fasterxml.jackson.datatype</groupId> | ||
| <artifactId>jackson-datatype-jsr310</artifactId> | ||
| <version>${fasterxml.jackson.version}</version> | ||
| </dependency> |
There was a problem hiding this comment.
Why do we need this dependency?
There was a problem hiding this comment.
It comes from kubernetes-client, declare it in <dependencyManagement> to make the version consistent with other Jackson jars.
Seems your PR comes from a bot, and the "additional changes" are code style stuff, which doesn't help with Jackson upgrades. |
|
@MaxGekk Can we get this fix in 3.3? |
There was a problem hiding this comment.
Can we get this fix in 3.3?
Yes, the fix FasterXML/jackson-databind@fcfc499#diff-d9b87da659a9c42368be10a152cd7d63a35970f21a38e1d054ad4248d04382e0 seems not risky since it introduces a threshold only.
### What changes were proposed in this pull request? Upgrade jackson due to CVE-2020-36518 ### Why are the changes needed? FasterXML/jackson-databind#2816 only jackson-databind has a 2.13.2.1 release other jackson jars should stay at 2.13.2 ### Does this PR introduce _any_ user-facing change? No ### How was this patch tested? Existing tests. Closes #35981 from pan3793/jackson. Authored-by: Cheng Pan <chengpan@apache.org> Signed-off-by: Yuming Wang <yumwang@ebay.com> (cherry picked from commit c952b83) Signed-off-by: Yuming Wang <yumwang@ebay.com>
|
Merged to master and branch-3.3. |
What changes were proposed in this pull request?
Upgrade jackson due to CVE-2020-36518
Why are the changes needed?
FasterXML/jackson-databind#2816
only jackson-databind has a 2.13.2.1 release
other jackson jars should stay at 2.13.2
Does this PR introduce any user-facing change?
No
How was this patch tested?
Existing tests.