You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@hudi.apache.org by "sivabalan narayanan (Jira)" <ji...@apache.org> on 2020/08/29 15:10:00 UTC
[jira] [Commented] (HUDI-195) Bump jackson-databind to prevent
deserialization loophole
[ https://issues.apache.org/jira/browse/HUDI-195?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17187002#comment-17187002 ]
sivabalan narayanan commented on HUDI-195:
------------------------------------------
[~yanghua] [~vinoth]: do you folks want to touch base on this and see what needs to be done.
> Bump jackson-databind to prevent deserialization loophole
> ---------------------------------------------------------
>
> Key: HUDI-195
> URL: https://issues.apache.org/jira/browse/HUDI-195
> Project: Apache Hudi
> Issue Type: Improvement
> Components: Code Cleanup, Writer Core
> Reporter: vinoyang
> Assignee: vinoyang
> Priority: Major
>
> In Tencent, we can not use 2.6.4 of com.fasterxml.jackson.core:jackson-databind. Because it exists deserialization loophole. The description of loophole is here: [https://www.cnvd.org.cn/flaw/show/CNVD-2017-04483] (unfortunately, it's a Chinese web page).
> We recommend up to 2.7.9.2, 2.8.11 or 2.9.4+.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)