You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@parquet.apache.org by Shrushti Patel <sh...@slack-corp.com.INVALID> on 2023/03/15 17:24:46 UTC

Apache Parquet Jackson Update

Hello,

I work for Salesforce and we use Secor <https://github.com/pinterest/secor>
for Pinterest for data ingestion.

Secor uses parquet-hadoop
<https://github.com/pinterest/secor/blob/master/pom.xml#L266> dependency
which has Apache Parquet Jackson as one of its dependencies.
Apache Parquet Jackson jar has com.fasterxml.jackson.core_jackson-databind
one of its dependencies.

Latest Apache Parquet Jackson jar uses 2.13.2.2 version of
com.fasterxml.jackson.core_jackson-databind.
*This version has security vulnerabilities* CVE-2022-42004
<https://nvd.nist.gov/vuln/detail/CVE-2022-42004> (Fixed in 2.13.4) and
CVE-2022-42003 <https://nvd.nist.gov/vuln/detail/CVE-2022-42003> (Fixed in
2.14.0)

*I wanted to check what is the next expected release date for Apache
Parquet Jackson jar which will have updated version of
com.fasterxml.jackson.core_jackson-databind jar *

Looking forward to hearing from you soon

Thanks,
Shrushti