You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@parquet.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2020/04/16 17:14:00 UTC

[jira] [Commented] (PARQUET-1842) Update Jackson Databind version to address CVE

    [ https://issues.apache.org/jira/browse/PARQUET-1842?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17085107#comment-17085107 ] 

ASF GitHub Bot commented on PARQUET-1842:
-----------------------------------------

patrickofriel-wk commented on pull request #785: PARQUET-1842: Update jackson-databind version
URL: https://github.com/apache/parquet-mr/pull/785
 
 
   Make sure you have checked _all_ steps below.
   
   ### Jira
   
   - [ ] My PR addresses the following [Parquet-1842](https://issues.apache.org/jira/browse/PARQUET-1842)
     - https://issues.apache.org/jira/browse/PARQUET-1842.
   
   ### Tests
   
   - [ ] My PR adds the following unit tests __OR__ does not need testing for this extremely good reason: patch update to jackson-databind, should be covered by existing tests
   
   ### Commits
   
   - [ ] My commits all reference Jira issues in their subject lines. In addition, my commits follow the guidelines from "[How to write a good git commit message](http://chris.beams.io/posts/git-commit/)":
     1. Subject is separated from body by a blank line
     1. Subject is limited to 50 characters (not including Jira issue reference)
     1. Subject does not end with a period
     1. Subject uses the imperative mood ("add", not "adding")
     1. Body wraps at 72 characters
     1. Body explains "what" and "why", not "how"
   
   ### Documentation
   
   - [ ] In case of new functionality, my PR adds documentation that describes how to use it.
     - No new functionality
   
 
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


> Update Jackson Databind version to address CVE
> ----------------------------------------------
>
>                 Key: PARQUET-1842
>                 URL: https://issues.apache.org/jira/browse/PARQUET-1842
>             Project: Parquet
>          Issue Type: Task
>          Components: parquet-mr
>    Affects Versions: 1.11.0
>         Environment: Any
>            Reporter: Patrick OFriel
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 1.11.1
>
>
> The current version of jackson-databind in parquet-mr has several CVEs associated with it: [https://nvd.nist.gov/vuln/detail/CVE-2020-10673], [https://nvd.nist.gov/vuln/detail/CVE-2020-10672], [https://nvd.nist.gov/vuln/detail/CVE-2020-10969], [https://nvd.nist.gov/vuln/detail/CVE-2020-11111], [https://nvd.nist.gov/vuln/detail/CVE-2020-11113], (and a few more). We should update to jackson-databind 2.9.10.4



--
This message was sent by Atlassian Jira
(v8.3.4#803005)