You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@spark.apache.org by "Hyukjin Kwon (JIRA)" <ji...@apache.org> on 2017/08/02 19:21:01 UTC

[jira] [Commented] (SPARK-20433) Update jackson-databind to 2.6.7.1

    [ https://issues.apache.org/jira/browse/SPARK-20433?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16111580#comment-16111580 ] 

Hyukjin Kwon commented on SPARK-20433:
--------------------------------------

User 'ash211' has created a pull request for this issue:
https://github.com/apache/spark/pull/18789

> Update jackson-databind to 2.6.7.1
> ----------------------------------
>
>                 Key: SPARK-20433
>                 URL: https://issues.apache.org/jira/browse/SPARK-20433
>             Project: Spark
>          Issue Type: Improvement
>          Components: Spark Core
>    Affects Versions: 2.1.0
>            Reporter: Andrew Ash
>            Priority: Minor
>
> There was a security vulnerability recently reported to the upstream jackson-databind project at https://github.com/FasterXML/jackson-databind/issues/1599 which now has a fix released.
> From my reading of that, versions 2.7.9.1, 2.8.8.1, and 2.9.0.pr3 are the first fixed versions in their respectful 2.X branches, and versions in the 2.6.X line and earlier remain vulnerable.  UPDATE: now the 2.6.X line has a patch as well: 2.6.7.1 as mentioned at https://github.com/FasterXML/jackson-databind/issues/1599#issuecomment-315486340
> Right now Spark master branch is on 2.6.5: https://github.com/apache/spark/blob/master/pom.xml#L164
> and Hadoop branch-2.7 is on 2.2.3: https://github.com/apache/hadoop/blob/branch-2.7/hadoop-project/pom.xml#L71
> and Hadoop branch-3.0.0-alpha2 is on 2.7.8: https://github.com/apache/hadoop/blob/branch-3.0.0-alpha2/hadoop-project/pom.xml#L74
> We should bump Spark from 2.6.5 to 2.6.7.1 to get a patched version of this library for the next Spark release.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org