You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@parquet.apache.org by GitBox <gi...@apache.org> on 2022/10/19 10:21:30 UTC
[GitHub] [parquet-mr] avinashkolluru opened a new pull request, #1005: PARQUET-2198 : Updating jackson data bind version to fix CVEs
avinashkolluru opened a new pull request, #1005:
URL: https://github.com/apache/parquet-mr/pull/1005
Fixes CVE-2022-42003 and CVE-2022-42004
Make sure you have checked _all_ steps below.
### Jira
- [ ] My PR addresses the following [Parquet Jira](https://issues.apache.org/jira/browse/PARQUET/) issues and references them in the PR title. For example, "PARQUET-1234: My Parquet PR"
- https://issues.apache.org/jira/browse/PARQUET-XXX
- In case you are adding a dependency, check if the license complies with the [ASF 3rd Party License Policy](https://www.apache.org/legal/resolved.html#category-x).
### Tests
- [ ] My PR adds the following unit tests __OR__ does not need testing for this extremely good reason:
### Commits
- [ ] My commits all reference Jira issues in their subject lines. In addition, my commits follow the guidelines from "[How to write a good git commit message](http://chris.beams.io/posts/git-commit/)":
1. Subject is separated from body by a blank line
1. Subject is limited to 50 characters (not including Jira issue reference)
1. Subject does not end with a period
1. Subject uses the imperative mood ("add", not "adding")
1. Body wraps at 72 characters
1. Body explains "what" and "why", not "how"
### Documentation
- [ ] In case of new functionality, my PR adds documentation that describes how to use it.
- All the public functions and the classes in the PR contain Javadoc that explain what it does
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@parquet.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [parquet-mr] shangxinli commented on pull request #1005: PARQUET-2198 : Updating jackson data bind version to fix CVEs
Posted by GitBox <gi...@apache.org>.
shangxinli commented on PR #1005:
URL: https://github.com/apache/parquet-mr/pull/1005#issuecomment-1305943408
LGTM
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@parquet.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [parquet-mr] shangxinli commented on pull request #1005: PARQUET-2198 : Updating jackson data bind version to fix CVEs
Posted by "shangxinli (via GitHub)" <gi...@apache.org>.
shangxinli commented on PR #1005:
URL: https://github.com/apache/parquet-mr/pull/1005#issuecomment-1463958416
We will release it soon
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@parquet.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [parquet-mr] mdadil-dk commented on pull request #1005: PARQUET-2198 : Updating jackson data bind version to fix CVEs
Posted by "mdadil-dk (via GitHub)" <gi...@apache.org>.
mdadil-dk commented on PR #1005:
URL: https://github.com/apache/parquet-mr/pull/1005#issuecomment-1473738111
Any new release plan for this ?? Or have SNAPSHOT/RC build to test ??
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@parquet.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [parquet-mr] shangxinli commented on pull request #1005: PARQUET-2198 : Updating jackson data bind version to fix CVEs
Posted by "shangxinli (via GitHub)" <gi...@apache.org>.
shangxinli commented on PR #1005:
URL: https://github.com/apache/parquet-mr/pull/1005#issuecomment-1446766714
Yeah, we will release soon
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@parquet.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [parquet-mr] vimal3271 commented on pull request #1005: PARQUET-2198 : Updating jackson data bind version to fix CVEs
Posted by "vimal3271 (via GitHub)" <gi...@apache.org>.
vimal3271 commented on PR #1005:
URL: https://github.com/apache/parquet-mr/pull/1005#issuecomment-1463436696
Could you help in releasing the new version which fixes the CVEs ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@parquet.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [parquet-mr] satish-mittal commented on pull request #1005: PARQUET-2198 : Updating jackson data bind version to fix CVEs
Posted by "satish-mittal (via GitHub)" <gi...@apache.org>.
satish-mittal commented on PR #1005:
URL: https://github.com/apache/parquet-mr/pull/1005#issuecomment-1446359333
@shangxinli can we release a new version that fixes these two vulnerabilities?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@parquet.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [parquet-mr] mr1716 commented on pull request #1005: PARQUET-2198 : Updating jackson data bind version to fix CVEs
Posted by GitBox <gi...@apache.org>.
mr1716 commented on PR #1005:
URL: https://github.com/apache/parquet-mr/pull/1005#issuecomment-1335416513
Hey, whats the timetable for merging this @shangxinli @frant-hartm ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@parquet.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [parquet-mr] steveloughran commented on pull request #1005: PARQUET-2198 : Updating jackson data bind version to fix CVEs
Posted by "steveloughran (via GitHub)" <gi...@apache.org>.
steveloughran commented on PR #1005:
URL: https://github.com/apache/parquet-mr/pull/1005#issuecomment-1451725294
+been some issues with transient dependencies from jackson releases in hadoop, hence "HADOOP-18332. Remove rs-api dependency by downgrading jackson to 2.12.7.". jersey 1.0 coexistence.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@parquet.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [parquet-mr] nikhilenr commented on pull request #1005: PARQUET-2198 : Updating jackson data bind version to fix CVEs
Posted by "nikhilenr (via GitHub)" <gi...@apache.org>.
nikhilenr commented on PR #1005:
URL: https://github.com/apache/parquet-mr/pull/1005#issuecomment-1451500758
@shangxinli :- Jackson has released newer version of 2.14.2.
https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.14.2
Please try to fix as earliest with latest jackson version.
Thanks.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@parquet.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [parquet-mr] tooptoop4 commented on pull request #1005: PARQUET-2198 : Updating jackson data bind version to fix CVEs
Posted by GitBox <gi...@apache.org>.
tooptoop4 commented on PR #1005:
URL: https://github.com/apache/parquet-mr/pull/1005#issuecomment-1290027850
🥇
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@parquet.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [parquet-mr] nikhilenr commented on pull request #1005: PARQUET-2198 : Updating jackson data bind version to fix CVEs
Posted by "nikhilenr (via GitHub)" <gi...@apache.org>.
nikhilenr commented on PR #1005:
URL: https://github.com/apache/parquet-mr/pull/1005#issuecomment-1504802025
Hi All,
New parquet-jackson version is released and reported cves are resolved with v 1.13.0.
https://mvnrepository.com/artifact/org.apache.parquet/parquet-jackson/1.13.0
Thanks @shangxinli for fixing.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@parquet.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [parquet-mr] shangxinli merged pull request #1005: PARQUET-2198 : Updating jackson data bind version to fix CVEs
Posted by GitBox <gi...@apache.org>.
shangxinli merged PR #1005:
URL: https://github.com/apache/parquet-mr/pull/1005
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@parquet.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [parquet-mr] frant-hartm commented on a diff in pull request #1005: PARQUET-2198 : Updating jackson data bind version to fix CVEs
Posted by GitBox <gi...@apache.org>.
frant-hartm commented on code in PR #1005:
URL: https://github.com/apache/parquet-mr/pull/1005#discussion_r1005339305
##########
pom.xml:
##########
@@ -74,7 +74,7 @@
<jackson.datatype.groupId>com.fasterxml.jackson.datatype</jackson.datatype.groupId>
<jackson.package>com.fasterxml.jackson</jackson.package>
<jackson.version>2.13.2</jackson.version>
Review Comment:
The jackson version should be updated as well so the versions match.
```suggestion
<jackson.version>2.13.4</jackson.version>
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@parquet.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [parquet-mr] botchniaque commented on pull request #1005: PARQUET-2198 : Updating jackson data bind version to fix CVEs
Posted by "botchniaque (via GitHub)" <gi...@apache.org>.
botchniaque commented on PR #1005:
URL: https://github.com/apache/parquet-mr/pull/1005#issuecomment-1451576518
I don't have now any specifics, but I guess there were some differences in versions `2.13.x` and `2.14.x` and the scala versions compatibility. This may be the cause why `2.13.x` is used. But you're right - there are newer versions available eg. https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.13.5
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@parquet.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [parquet-mr] shangxinli commented on pull request #1005: PARQUET-2198 : Updating jackson data bind version to fix CVEs
Posted by "shangxinli (via GitHub)" <gi...@apache.org>.
shangxinli commented on PR #1005:
URL: https://github.com/apache/parquet-mr/pull/1005#issuecomment-1473894681
We already started working on the release. Please wait...
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@parquet.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [parquet-mr] steveloughran commented on pull request #1005: PARQUET-2198 : Updating jackson data bind version to fix CVEs
Posted by "steveloughran (via GitHub)" <gi...@apache.org>.
steveloughran commented on PR #1005:
URL: https://github.com/apache/parquet-mr/pull/1005#issuecomment-1474889700
@mdadil-dk there's a source code repository there for you to checkout and build your own -SNAPSHOT artifacts. Doing local builds and testing against your own code, even before RCs are up- is the best way to identify integration problems with your apps *and get them fixed*.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscribe@parquet.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org