You are viewing a plain text version of this content. The canonical link for it is here.
Posted to github@arrow.apache.org by GitBox <gi...@apache.org> on 2022/04/13 22:57:59 UTC
[GitHub] [arrow] davisusanibar opened a new pull request, #12880: ARROW-16143: [Java] Upgrade jackson dependencies CVE-2020-36518
davisusanibar opened a new pull request, #12880:
URL: https://github.com/apache/arrow/pull/12880
[CVE-2020-36518](https://github.com/advisories/GHSA-57j2-w4cx-62h2): Deeply nested json in jackson-databind.
Solved based on [Jackson release 2.13](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.13):
````
jackson-databind 2.13.2.2 (28-Mar-2022) -- with jackson-bom version 2.13.2.20220328
````
Before the change: ` mvn compile dependency:tree -Drat.skip=true | grep databind` :
````
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.11.4:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.11.4:compile
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.11.4:compile
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.11.4:test
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.11.4:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.11.4:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.11.4:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.11.4:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.11.4:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.11.4:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.11.4:compile
````
After the change:
````
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.2.2:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.2.2:compile
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.2.2:compile
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.11.4:test
[INFO] +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.2.2:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.2.2:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.2.2:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.2.2:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.2.2:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.2.2:compile
[INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.2.2:compile
````
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [arrow] davisusanibar commented on a diff in pull request #12880: ARROW-16143: [Java] Upgrade jackson dependencies CVE-2020-36518
Posted by GitBox <gi...@apache.org>.
davisusanibar commented on code in PR #12880:
URL: https://github.com/apache/arrow/pull/12880#discussion_r850010424
##########
java/pom.xml:
##########
@@ -35,6 +35,7 @@
<dep.guava.version>30.1.1-jre</dep.guava.version>
<dep.netty.version>4.1.72.Final</dep.netty.version>
<dep.jackson.version>2.11.4</dep.jackson.version>
+ <dep.jackson-bom.version>2.13.2.20220328</dep.jackson-bom.version>
Review Comment:
At summary we need two variables:
- For jackson-databind: cve `2.13.2.2` (We have two option: modify all pom.xml and set this version OR delegate this to jackson-bom)
- For jackson-core, jackson-annotation, jackson-dataformat-yaml, jackson-datatype-jsr310: `2.13.2`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [arrow] lidavidm commented on pull request #12880: ARROW-16143: [Java] Upgrade jackson dependencies CVE-2020-36518
Posted by GitBox <gi...@apache.org>.
lidavidm commented on PR #12880:
URL: https://github.com/apache/arrow/pull/12880#issuecomment-1099101559
@github-actions crossbow submit java-jars verify-rc-source-java-*
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [arrow] lidavidm commented on a diff in pull request #12880: ARROW-16143: [Java] Upgrade jackson dependencies CVE-2020-36518
Posted by GitBox <gi...@apache.org>.
lidavidm commented on code in PR #12880:
URL: https://github.com/apache/arrow/pull/12880#discussion_r849990368
##########
java/pom.xml:
##########
@@ -35,6 +35,7 @@
<dep.guava.version>30.1.1-jre</dep.guava.version>
<dep.netty.version>4.1.72.Final</dep.netty.version>
<dep.jackson.version>2.11.4</dep.jackson.version>
+ <dep.jackson-bom.version>2.13.2.20220328</dep.jackson-bom.version>
Review Comment:
I don't think we want to version the Jackson libraries separately though. If we're upgrading one we should upgrade all.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [arrow] github-actions[bot] commented on pull request #12880: ARROW-16143: [Java] Upgrade jackson dependencies CVE-2020-36518
Posted by GitBox <gi...@apache.org>.
github-actions[bot] commented on PR #12880:
URL: https://github.com/apache/arrow/pull/12880#issuecomment-1098556496
https://issues.apache.org/jira/browse/ARROW-16143
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [arrow] lidavidm commented on a diff in pull request #12880: ARROW-16143: [Java] Upgrade jackson dependencies CVE-2020-36518
Posted by GitBox <gi...@apache.org>.
lidavidm commented on code in PR #12880:
URL: https://github.com/apache/arrow/pull/12880#discussion_r850018528
##########
java/pom.xml:
##########
@@ -35,6 +35,7 @@
<dep.guava.version>30.1.1-jre</dep.guava.version>
<dep.netty.version>4.1.72.Final</dep.netty.version>
<dep.jackson.version>2.11.4</dep.jackson.version>
+ <dep.jackson-bom.version>2.13.2.20220328</dep.jackson-bom.version>
Review Comment:
Ah, they only published revisions for one library…Alright then. Can we make it `dep.jackson.databind.version` or something and note that upstream versioning is out of sync? It's unclear what `bom` is supposed to control.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [arrow] github-actions[bot] commented on pull request #12880: ARROW-16143: [Java] Upgrade jackson dependencies CVE-2020-36518
Posted by GitBox <gi...@apache.org>.
github-actions[bot] commented on PR #12880:
URL: https://github.com/apache/arrow/pull/12880#issuecomment-1098556511
:warning: Ticket **has not been started in JIRA**, please click 'Start Progress'.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [arrow] github-actions[bot] commented on pull request #12880: ARROW-16143: [Java] Upgrade jackson dependencies CVE-2020-36518
Posted by GitBox <gi...@apache.org>.
github-actions[bot] commented on PR #12880:
URL: https://github.com/apache/arrow/pull/12880#issuecomment-1099105255
Revision: bffb898b06fa2773d291ccdb22db4bc16b51d9af
Submitted crossbow builds: [ursacomputing/crossbow @ actions-1856](https://github.com/ursacomputing/crossbow/branches/all?query=actions-1856)
|Task|Status|
|----|------|
|java-jars|[](https://github.com/ursacomputing/crossbow/actions?query=branch:actions-1856-github-java-jars)|
|verify-rc-source-java-linux-almalinux-8-amd64|[](https://github.com/ursacomputing/crossbow/actions?query=branch:actions-1856-github-verify-rc-source-java-linux-almalinux-8-amd64)|
|verify-rc-source-java-linux-conda-latest-amd64|[](https://github.com/ursacomputing/crossbow/actions?query=branch:actions-1856-github-verify-rc-source-java-linux-conda-latest-amd64)|
|verify-rc-source-java-linux-ubuntu-18.04-amd64|[](https://github.com/ursacomputing/crossbow/actions?query=branch:actions-1856-github-verify-rc-source-java-linux-ubuntu-18.04-amd64)|
|verify-rc-source-java-linux-ubuntu-20.04-amd64|[](https://github.com/ursacomputing/crossbow/actions?query=branch:actions-1856-github-verify-rc-source-java-linux-ubuntu-20.04-amd64)|
|verify-rc-source-java-macos-amd64|[](https://github.com/ursacomputing/crossbow/actions?query=branch:actions-1856-github-verify-rc-source-java-macos-amd64)|
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [arrow] lidavidm commented on a diff in pull request #12880: ARROW-16143: [Java] Upgrade jackson dependencies CVE-2020-36518
Posted by GitBox <gi...@apache.org>.
lidavidm commented on code in PR #12880:
URL: https://github.com/apache/arrow/pull/12880#discussion_r850018713
##########
java/pom.xml:
##########
@@ -35,6 +35,7 @@
<dep.guava.version>30.1.1-jre</dep.guava.version>
<dep.netty.version>4.1.72.Final</dep.netty.version>
<dep.jackson.version>2.11.4</dep.jackson.version>
+ <dep.jackson-bom.version>2.13.2.20220328</dep.jackson-bom.version>
Review Comment:
Oh, sorry, we depend on `bom` indeed. Alright then.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [arrow] lidavidm commented on a diff in pull request #12880: ARROW-16143: [Java] Upgrade jackson dependencies CVE-2020-36518
Posted by GitBox <gi...@apache.org>.
lidavidm commented on code in PR #12880:
URL: https://github.com/apache/arrow/pull/12880#discussion_r849971744
##########
java/pom.xml:
##########
@@ -35,6 +35,7 @@
<dep.guava.version>30.1.1-jre</dep.guava.version>
<dep.netty.version>4.1.72.Final</dep.netty.version>
<dep.jackson.version>2.11.4</dep.jackson.version>
+ <dep.jackson-bom.version>2.13.2.20220328</dep.jackson-bom.version>
Review Comment:
Why the discrepancy, why can't we just edit dep.jackson.version above?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [arrow] davisusanibar commented on a diff in pull request #12880: ARROW-16143: [Java] Upgrade jackson dependencies CVE-2020-36518
Posted by GitBox <gi...@apache.org>.
davisusanibar commented on code in PR #12880:
URL: https://github.com/apache/arrow/pull/12880#discussion_r850010424
##########
java/pom.xml:
##########
@@ -35,6 +35,7 @@
<dep.guava.version>30.1.1-jre</dep.guava.version>
<dep.netty.version>4.1.72.Final</dep.netty.version>
<dep.jackson.version>2.11.4</dep.jackson.version>
+ <dep.jackson-bom.version>2.13.2.20220328</dep.jackson-bom.version>
Review Comment:
At summary we need two variables:
- For jackson-databind: cve 2.13.2.2 (We have two option: modify all pom.xml and set this version OR delegate this to jackson-bom)
- For jackson-core, jackson-annotation, jackson-dataformat-yaml, jackson-datatype-jsr310: 2.13.2
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [arrow] davisusanibar commented on a diff in pull request #12880: ARROW-16143: [Java] Upgrade jackson dependencies CVE-2020-36518
Posted by GitBox <gi...@apache.org>.
davisusanibar commented on code in PR #12880:
URL: https://github.com/apache/arrow/pull/12880#discussion_r849986566
##########
java/pom.xml:
##########
@@ -35,6 +35,7 @@
<dep.guava.version>30.1.1-jre</dep.guava.version>
<dep.netty.version>4.1.72.Final</dep.netty.version>
<dep.jackson.version>2.11.4</dep.jackson.version>
+ <dep.jackson-bom.version>2.13.2.20220328</dep.jackson-bom.version>
Review Comment:
I just updated `<dep.jackson.version>2.13.2</dep.jackson.version>` but consider if we maintain that with only this parameter version all libraries are going be updated to 2.13.2, but, for jackson-databind we need 2.13.2.2 and this is handled by [jackson BOM](https://github.com/FasterXML/jackson-bom/blob/jackson-bom-2.13.2.20220328/pom.xml#L62) `<dep.jackson-bom.version>2.13.2.20220328</dep.jackson-bom.version>`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [arrow] lidavidm closed pull request #12880: ARROW-16143: [Java] Upgrade jackson dependencies CVE-2020-36518
Posted by GitBox <gi...@apache.org>.
lidavidm closed pull request #12880: ARROW-16143: [Java] Upgrade jackson dependencies CVE-2020-36518
URL: https://github.com/apache/arrow/pull/12880
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [arrow] ursabot commented on pull request #12880: ARROW-16143: [Java] Upgrade jackson dependencies CVE-2020-36518
Posted by GitBox <gi...@apache.org>.
ursabot commented on PR #12880:
URL: https://github.com/apache/arrow/pull/12880#issuecomment-1100236784
Benchmark runs are scheduled for baseline = b64fd28afb31d5498fd9824b20574312b4db5945 and contender = a63ee07f34532df20b767f918ff7646e4e1d9651. a63ee07f34532df20b767f918ff7646e4e1d9651 is a master commit associated with this PR. Results will be available as each benchmark for each run completes.
Conbench compare runs links:
[Finished :arrow_down:0.0% :arrow_up:0.0%] [ec2-t3-xlarge-us-east-2](https://conbench.ursa.dev/compare/runs/5ad7a9edb7344cd380d83a71b40a3679...2ef23a49fa2943e0a62d6cd3321536aa/)
[Finished :arrow_down:2.55% :arrow_up:0.0%] [test-mac-arm](https://conbench.ursa.dev/compare/runs/945ce77ef6d5405eb696fa66357ceae3...c641c52a3ab741af971824cf66808911/)
[Failed :arrow_down:1.79% :arrow_up:0.0%] [ursa-i9-9960x](https://conbench.ursa.dev/compare/runs/367746be79ed4d469ff8a5b7a7f1249a...0d37f2ac558d460fbddabb8076117ff4/)
[Finished :arrow_down:4.08% :arrow_up:0.47%] [ursa-thinkcentre-m75q](https://conbench.ursa.dev/compare/runs/47f130eab3d44ae98053ea01779a2316...d19c2d8c97b44c58a49cd9446cfd9f20/)
Buildkite builds:
[Finished] <https://buildkite.com/apache-arrow/arrow-bci-benchmark-on-ec2-t3-xlarge-us-east-2/builds/513| `a63ee07f` ec2-t3-xlarge-us-east-2>
[Finished] <https://buildkite.com/apache-arrow/arrow-bci-benchmark-on-test-mac-arm/builds/500| `a63ee07f` test-mac-arm>
[Finished] <https://buildkite.com/apache-arrow/arrow-bci-benchmark-on-ursa-i9-9960x/builds/499| `a63ee07f` ursa-i9-9960x>
[Finished] <https://buildkite.com/apache-arrow/arrow-bci-benchmark-on-ursa-thinkcentre-m75q/builds/510| `a63ee07f` ursa-thinkcentre-m75q>
[Finished] <https://buildkite.com/apache-arrow/arrow-bci-benchmark-on-ec2-t3-xlarge-us-east-2/builds/512| `b64fd28a` ec2-t3-xlarge-us-east-2>
[Finished] <https://buildkite.com/apache-arrow/arrow-bci-benchmark-on-test-mac-arm/builds/499| `b64fd28a` test-mac-arm>
[Failed] <https://buildkite.com/apache-arrow/arrow-bci-benchmark-on-ursa-i9-9960x/builds/498| `b64fd28a` ursa-i9-9960x>
[Finished] <https://buildkite.com/apache-arrow/arrow-bci-benchmark-on-ursa-thinkcentre-m75q/builds/509| `b64fd28a` ursa-thinkcentre-m75q>
Supported benchmarks:
ec2-t3-xlarge-us-east-2: Supported benchmark langs: Python, R. Runs only benchmarks with cloud = True
test-mac-arm: Supported benchmark langs: C++, Python, R
ursa-i9-9960x: Supported benchmark langs: Python, R, JavaScript
ursa-thinkcentre-m75q: Supported benchmark langs: C++, Java
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org