You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@flink.apache.org by "Adam Roberts (Jira)" <ji...@apache.org> on 2021/03/01 13:45:00 UTC

[jira] [Created] (FLINK-21544) Upgrade Jackson databind version from 2.10.1 used in, at least, Flink Python jar

Adam Roberts created FLINK-21544:
------------------------------------

             Summary: Upgrade Jackson databind version from 2.10.1 used in, at least, Flink Python jar
                 Key: FLINK-21544
                 URL: https://issues.apache.org/jira/browse/FLINK-21544
             Project: Flink
          Issue Type: Bug
            Reporter: Adam Roberts


Hi everyone, in a similar manner to https://issues.apache.org/jira/browse/HADOOP-17555 I have done a Twistlock container scan and am looking at any dependencies we can upgrade to remediate any security issues that may be present.

 

One such contender is this: 

{{    \{
                "version": "2.10.1",
                "name": "com.fasterxml.jackson.core_jackson-databind",
                "path": "/opt/flink/opt/flink-python_2.11-1.11.3.jar"},}}

{{}}

and so I'm wondering if we can upgrade this version to, say, 2.10.5.1, 2.12.1, or 2.11.4? Major bug because - surely CVEs in 2.10.1; it is quite old now as well (see [https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-core/2.10.1)]

{{}}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)