You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spark.apache.org by yu...@apache.org on 2022/03/27 17:01:56 UTC
[spark] branch master updated: [SPARK-38665][BUILD] Upgrade jackson due to CVE-2020-36518
This is an automated email from the ASF dual-hosted git repository.
yumwang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/spark.git
The following commit(s) were added to refs/heads/master by this push:
new c952b83 [SPARK-38665][BUILD] Upgrade jackson due to CVE-2020-36518
c952b83 is described below
commit c952b83deee3e1063b237a1253b65f3b739343a7
Author: Cheng Pan <ch...@apache.org>
AuthorDate: Mon Mar 28 00:59:21 2022 +0800
[SPARK-38665][BUILD] Upgrade jackson due to CVE-2020-36518
### What changes were proposed in this pull request?
Upgrade jackson due to CVE-2020-36518
### Why are the changes needed?
https://github.com/FasterXML/jackson-databind/issues/2816
only jackson-databind has a 2.13.2.1 release
other jackson jars should stay at 2.13.2
### Does this PR introduce _any_ user-facing change?
No
### How was this patch tested?
Existing tests.
Closes #35981 from pan3793/jackson.
Authored-by: Cheng Pan <ch...@apache.org>
Signed-off-by: Yuming Wang <yu...@ebay.com>
---
dev/deps/spark-deps-hadoop-2-hive-2.3 | 4 ++--
dev/deps/spark-deps-hadoop-3-hive-2.3 | 4 ++--
pom.xml | 8 +++++++-
3 files changed, 11 insertions(+), 5 deletions(-)
diff --git a/dev/deps/spark-deps-hadoop-2-hive-2.3 b/dev/deps/spark-deps-hadoop-2-hive-2.3
index 442f2a2..cd1af5e 100644
--- a/dev/deps/spark-deps-hadoop-2-hive-2.3
+++ b/dev/deps/spark-deps-hadoop-2-hive-2.3
@@ -115,10 +115,10 @@ ivy/2.5.0//ivy-2.5.0.jar
jackson-annotations/2.13.2//jackson-annotations-2.13.2.jar
jackson-core-asl/1.9.13//jackson-core-asl-1.9.13.jar
jackson-core/2.13.2//jackson-core-2.13.2.jar
-jackson-databind/2.13.2//jackson-databind-2.13.2.jar
+jackson-databind/2.13.2.1//jackson-databind-2.13.2.1.jar
jackson-dataformat-cbor/2.13.2//jackson-dataformat-cbor-2.13.2.jar
jackson-dataformat-yaml/2.13.2//jackson-dataformat-yaml-2.13.2.jar
-jackson-datatype-jsr310/2.13.1//jackson-datatype-jsr310-2.13.1.jar
+jackson-datatype-jsr310/2.13.2//jackson-datatype-jsr310-2.13.2.jar
jackson-jaxrs/1.9.13//jackson-jaxrs-1.9.13.jar
jackson-mapper-asl/1.9.13//jackson-mapper-asl-1.9.13.jar
jackson-module-scala_2.12/2.13.2//jackson-module-scala_2.12-2.13.2.jar
diff --git a/dev/deps/spark-deps-hadoop-3-hive-2.3 b/dev/deps/spark-deps-hadoop-3-hive-2.3
index 1389bef..7752853 100644
--- a/dev/deps/spark-deps-hadoop-3-hive-2.3
+++ b/dev/deps/spark-deps-hadoop-3-hive-2.3
@@ -104,10 +104,10 @@ ivy/2.5.0//ivy-2.5.0.jar
jackson-annotations/2.13.2//jackson-annotations-2.13.2.jar
jackson-core-asl/1.9.13//jackson-core-asl-1.9.13.jar
jackson-core/2.13.2//jackson-core-2.13.2.jar
-jackson-databind/2.13.2//jackson-databind-2.13.2.jar
+jackson-databind/2.13.2.1//jackson-databind-2.13.2.1.jar
jackson-dataformat-cbor/2.13.2//jackson-dataformat-cbor-2.13.2.jar
jackson-dataformat-yaml/2.13.2//jackson-dataformat-yaml-2.13.2.jar
-jackson-datatype-jsr310/2.13.1//jackson-datatype-jsr310-2.13.1.jar
+jackson-datatype-jsr310/2.13.2//jackson-datatype-jsr310-2.13.2.jar
jackson-mapper-asl/1.9.13//jackson-mapper-asl-1.9.13.jar
jackson-module-scala_2.12/2.13.2//jackson-module-scala_2.12-2.13.2.jar
jakarta.annotation-api/1.3.5//jakarta.annotation-api-1.3.5.jar
diff --git a/pom.xml b/pom.xml
index e834ded..82eda7d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -175,6 +175,7 @@
<scalafmt.skip>true</scalafmt.skip>
<codehaus.jackson.version>1.9.13</codehaus.jackson.version>
<fasterxml.jackson.version>2.13.2</fasterxml.jackson.version>
+ <fasterxml.jackson.databind.version>2.13.2.1</fasterxml.jackson.databind.version>
<snappy.version>1.1.8.4</snappy.version>
<netlib.java.version>1.1.2</netlib.java.version>
<netlib.ludovic.dev.version>2.2.1</netlib.ludovic.dev.version>
@@ -935,13 +936,18 @@
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
- <version>${fasterxml.jackson.version}</version>
+ <version>${fasterxml.jackson.databind.version}</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-annotations</artifactId>
<version>${fasterxml.jackson.version}</version>
</dependency>
+ <dependency>
+ <groupId>com.fasterxml.jackson.datatype</groupId>
+ <artifactId>jackson-datatype-jsr310</artifactId>
+ <version>${fasterxml.jackson.version}</version>
+ </dependency>
<!-- Guava is excluded because of SPARK-6149. The Guava version referenced in this module is
15.0, which causes runtime incompatibility issues. -->
<dependency>
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@spark.apache.org
For additional commands, e-mail: commits-help@spark.apache.org