You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@flink.apache.org by GitBox <gi...@apache.org> on 2022/10/14 09:53:14 UTC

[GitHub] [flink-shaded] snuyanzin opened a new pull request, #113: [FLINK-29631] Update Jackson-bom to 2.13.4.20221013

snuyanzin opened a new pull request, #113:
URL: https://github.com/apache/flink-shaded/pull/113

   Update of jackson-bom because of CVE-2022-42003
   this was fixed within https://github.com/FasterXML/jackson-databind/issues/3590


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [flink-shaded] MartijnVisser commented on a diff in pull request #113: [FLINK-29631] Update Jackson-bom to 2.13.4.20221013

Posted by GitBox <gi...@apache.org>.

MartijnVisser commented on code in PR #113:
URL: https://github.com/apache/flink-shaded/pull/113#discussion_r999146226


##########
flink-shaded-jackson-parent/flink-shaded-jackson-2/src/main/resources/META-INF/NOTICE:
##########
@@ -8,7 +8,7 @@ This project bundles the following dependencies under the Apache Software Licens
 
 - com.fasterxml.jackson.core:jackson-annotations:2.13.4
 - com.fasterxml.jackson.core:jackson-core:2.13.4
-- com.fasterxml.jackson.core:jackson-databind:2.13.4
+- com.fasterxml.jackson.core:jackson-databind:2.13.4.2

Review Comment:
   Is this really the correct version, looking at what you're referring to in the POM file? 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [flink-shaded] snuyanzin commented on a diff in pull request #113: [FLINK-29631] Update Jackson-bom to 2.13.4.20221013

Posted by GitBox <gi...@apache.org>.

snuyanzin commented on code in PR #113:
URL: https://github.com/apache/flink-shaded/pull/113#discussion_r999157947


##########
flink-shaded-jackson-parent/flink-shaded-jackson-2/src/main/resources/META-INF/NOTICE:
##########
@@ -8,7 +8,7 @@ This project bundles the following dependencies under the Apache Software Licens
 
 - com.fasterxml.jackson.core:jackson-annotations:2.13.4
 - com.fasterxml.jackson.core:jackson-core:2.13.4
-- com.fasterxml.jackson.core:jackson-databind:2.13.4
+- com.fasterxml.jackson.core:jackson-databind:2.13.4.2

Review Comment:
   Yes, based on issue description in databind repo [1] 
   > 2.13.4.2 micro-patch (jackson-bom 2.13.4.20221013). (NOTE: 2.13.4.1/2.13.4.20221012 have an issue that affects Gradle users)
   
   [1] https://github.com/FasterXML/jackson-databind/issues/3590#issue-1362567066



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [flink-shaded] snuyanzin commented on a diff in pull request #113: [FLINK-29631] Update Jackson-bom to 2.13.4.20221013

Posted by GitBox <gi...@apache.org>.

snuyanzin commented on code in PR #113:
URL: https://github.com/apache/flink-shaded/pull/113#discussion_r999183281


##########
flink-shaded-jackson-parent/flink-shaded-jackson-2/src/main/resources/META-INF/NOTICE:
##########
@@ -8,7 +8,7 @@ This project bundles the following dependencies under the Apache Software Licens
 
 - com.fasterxml.jackson.core:jackson-annotations:2.13.4
 - com.fasterxml.jackson.core:jackson-core:2.13.4
-- com.fasterxml.jackson.core:jackson-databind:2.13.4
+- com.fasterxml.jackson.core:jackson-databind:2.13.4.2

Review Comment:
   also `mvn dependency:tree` for this branch gives
   ```
   [INFO]    +- com.fasterxml.jackson.core:jackson-annotations:jar:2.13.4:compile
   [INFO]    +- com.fasterxml.jackson.core:jackson-databind:jar:2.13.4.2:compile
   [INFO]    |  \- com.fasterxml.jackson.core:jackson-core:jar:2.13.4:compile
   [INFO]    +- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.13.4:compile
   [INFO]    |  \- org.yaml:snakeyaml:jar:1.31:compile
   [INFO]    +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.13.4:compile
   
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [flink-shaded] snuyanzin commented on a diff in pull request #113: [FLINK-29631] Update Jackson-bom to 2.13.4.20221013

Posted by GitBox <gi...@apache.org>.

snuyanzin commented on code in PR #113:
URL: https://github.com/apache/flink-shaded/pull/113#discussion_r999157947


##########
flink-shaded-jackson-parent/flink-shaded-jackson-2/src/main/resources/META-INF/NOTICE:
##########
@@ -8,7 +8,7 @@ This project bundles the following dependencies under the Apache Software Licens
 
 - com.fasterxml.jackson.core:jackson-annotations:2.13.4
 - com.fasterxml.jackson.core:jackson-core:2.13.4
-- com.fasterxml.jackson.core:jackson-databind:2.13.4
+- com.fasterxml.jackson.core:jackson-databind:2.13.4.2

Review Comment:
   Based on issue description in databind repo [1] 
   > 2.13.4.2 micro-patch (jackson-bom 2.13.4.20221013). (NOTE: 2.13.4.1/2.13.4.20221012 have an issue that affects Gradle users)
   
   [1] https://github.com/FasterXML/jackson-databind/issues/3590#issue-1362567066



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [flink-shaded] MartijnVisser commented on a diff in pull request #113: [FLINK-29631] Update Jackson-bom to 2.13.4.20221013

Posted by GitBox <gi...@apache.org>.

MartijnVisser commented on code in PR #113:
URL: https://github.com/apache/flink-shaded/pull/113#discussion_r1000420368


##########
flink-shaded-jackson-parent/flink-shaded-jackson-2/src/main/resources/META-INF/NOTICE:
##########
@@ -8,7 +8,7 @@ This project bundles the following dependencies under the Apache Software Licens
 
 - com.fasterxml.jackson.core:jackson-annotations:2.13.4
 - com.fasterxml.jackson.core:jackson-core:2.13.4
-- com.fasterxml.jackson.core:jackson-databind:2.13.4
+- com.fasterxml.jackson.core:jackson-databind:2.13.4.2

Review Comment:
   How freaking annoying... 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [flink-shaded] MartijnVisser merged pull request #113: [FLINK-29631] Update Jackson-bom to 2.13.4.20221013

Posted by GitBox <gi...@apache.org>.

MartijnVisser merged PR #113:
URL: https://github.com/apache/flink-shaded/pull/113


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscribe@flink.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org