You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@avro.apache.org by "Mike Yoder (JIRA)" <ji...@apache.org> on 2018/03/22 16:48:00 UTC
[jira] [Commented] (AVRO-1605) Remove Jackson classes from public
API
[ https://issues.apache.org/jira/browse/AVRO-1605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16409861#comment-16409861 ]
Mike Yoder commented on AVRO-1605:
----------------------------------
I wanted to chime in on this issue from a security perspective. The TL;DR is that the use of jackson 1.x is dangerous.
* The last version of jackson 1.x was 1.9.13, and that was released 5 years ago. The developers have moved to jackson 2.x and are no longer making patches for jackson 1.x.
* A number of related security vulnerabilities have surfaced in jackson: CVE-2017-7525, CVE-2017-15095, CVE-2017-17485 and CVE-2018-5968.
* In the wake of Equifax, many large organizations are taking the stance that "thou shalt not use third party libraries with security vulnerabilities".
You can see where this takes us.
I don't really care what the solution is, but somehow Avro needs to move to jackson 2.x. It would seem to me to be highly sensible to get jackson out of the Avro public interface now in order for this sort of issue to not happen in the future - but hey I'll take any solution I can get at this point.
> Remove Jackson classes from public API
> --------------------------------------
>
> Key: AVRO-1605
> URL: https://issues.apache.org/jira/browse/AVRO-1605
> Project: Avro
> Issue Type: Sub-task
> Components: java
> Affects Versions: 1.7.8
> Reporter: Tom White
> Assignee: Gabor Szadovszky
> Priority: Major
> Fix For: 1.9.0
>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)