You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@spark.apache.org by "Dongjoon Hyun (Jira)" <ji...@apache.org> on 2019/11/21 23:52:00 UTC
[jira] [Comment Edited] (SPARK-29226) Upgrade jackson-databind to
2.9.10 and fix vulnerabilities.
[ https://issues.apache.org/jira/browse/SPARK-29226?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16979706#comment-16979706 ]
Dongjoon Hyun edited comment on SPARK-29226 at 11/21/19 11:51 PM:
------------------------------------------------------------------
Thank you for reporting, [~larsfrancke]. I'll follow up at your new JIRA. Please link your JIRA to this issue.
BTW, Apache Spark 3.0.0 upgrades Arrow from 0.14 to 0.15. The result might be different in the current `master` branch. Let see your JIRA.
was (Author: dongjoon):
Thank you for reporting, [~larsfrancke]. I'll follow up at your new JIRA. Please link your JIRA to this issue.
BTW, Apache Spark 3.0.0 upgrades Arrow from 0.14 to 0.15. The result might be different in master. Let see your JIRA.
> Upgrade jackson-databind to 2.9.10 and fix vulnerabilities.
> -----------------------------------------------------------
>
> Key: SPARK-29226
> URL: https://issues.apache.org/jira/browse/SPARK-29226
> Project: Spark
> Issue Type: Dependency upgrade
> Components: Build
> Affects Versions: 3.0.0
> Reporter: jiaan.geng
> Assignee: jiaan.geng
> Priority: Major
> Fix For: 3.0.0
>
>
> The current code uses com.fasterxml.jackson.core:jackson-databind:jar:2.9.9.3 and it will cause a security vulnerabilities. We could get some security info from https://www.tenable.com/cve/CVE-2019-16335
> This reference remind to upgrate the version of `jackson-databind` to 2.9.10 or later.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org