You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@parquet.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2020/10/12 09:48:00 UTC

[jira] [Commented] (PARQUET-1895) Update jackson-databind

    [ https://issues.apache.org/jira/browse/PARQUET-1895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17212268#comment-17212268 ] 

ASF GitHub Bot commented on PARQUET-1895:
-----------------------------------------

grumpyjames commented on pull request #811:
URL: https://github.com/apache/parquet-mr/pull/811#issuecomment-707011991


   I know this PR probably doesn't meet the standards of this project, but it would be _excellent_ if it were merged anyway. The version of jackson that ends up being shaded by the project has numerous serious security vulnerabilities as detected by the OWASP dependency check tool: https://owasp.org/www-project-dependency-check/
   
   It may be that the usage of jackson by the parquet project is not vulnerable to the 23 (!) different vulnerabilities I've got listed locally, but that's potentially very hard for someone not familiar to the project to audit, and I would hope that the travis check is sufficient to show that the upgrade is at least compile safe.
   
   Let me know if there's anything I can do to help this get merged!
   
   --James.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


> Update jackson-databind
> -----------------------
>
>                 Key: PARQUET-1895
>                 URL: https://issues.apache.org/jira/browse/PARQUET-1895
>             Project: Parquet
>          Issue Type: Task
>          Components: parquet-mr
>    Affects Versions: 1.11.0
>            Reporter: Patrick OFriel
>            Assignee: Gabor Szadovszky
>            Priority: Major
>             Fix For: 1.12.0
>
>
> The jackson databind 2.9.10.4 has the following CVEs:
> [https://nvd.nist.gov/vuln/detail/CVE-2020-14060]
> [https://nvd.nist.gov/vuln/detail/CVE-2020-14061]
> [https://nvd.nist.gov/vuln/detail/CVE-2020-14062]
> [https://nvd.nist.gov/vuln/detail/CVE-2020-14195]
> They should be resolved if we update to 2.9.10.5



--
This message was sent by Atlassian Jira
(v8.3.4#803005)