You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spark.apache.org by yu...@apache.org on 2022/03/27 17:01:56 UTC

[spark] branch master updated: [SPARK-38665][BUILD] Upgrade jackson due to CVE-2020-36518

This is an automated email from the ASF dual-hosted git repository.

yumwang pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/spark.git


The following commit(s) were added to refs/heads/master by this push:
     new c952b83  [SPARK-38665][BUILD] Upgrade jackson due to CVE-2020-36518
c952b83 is described below

commit c952b83deee3e1063b237a1253b65f3b739343a7
Author: Cheng Pan <ch...@apache.org>
AuthorDate: Mon Mar 28 00:59:21 2022 +0800

    [SPARK-38665][BUILD] Upgrade jackson due to CVE-2020-36518
    
    ### What changes were proposed in this pull request?
    
    Upgrade jackson due to CVE-2020-36518
    
    ### Why are the changes needed?
    
    https://github.com/FasterXML/jackson-databind/issues/2816
    only jackson-databind has a 2.13.2.1 release
    other jackson jars should stay at 2.13.2
    
    ### Does this PR introduce _any_ user-facing change?
    
    No
    
    ### How was this patch tested?
    
    Existing tests.
    
    Closes #35981 from pan3793/jackson.
    
    Authored-by: Cheng Pan <ch...@apache.org>
    Signed-off-by: Yuming Wang <yu...@ebay.com>
---
 dev/deps/spark-deps-hadoop-2-hive-2.3 | 4 ++--
 dev/deps/spark-deps-hadoop-3-hive-2.3 | 4 ++--
 pom.xml                               | 8 +++++++-
 3 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/dev/deps/spark-deps-hadoop-2-hive-2.3 b/dev/deps/spark-deps-hadoop-2-hive-2.3
index 442f2a2..cd1af5e 100644
--- a/dev/deps/spark-deps-hadoop-2-hive-2.3
+++ b/dev/deps/spark-deps-hadoop-2-hive-2.3
@@ -115,10 +115,10 @@ ivy/2.5.0//ivy-2.5.0.jar
 jackson-annotations/2.13.2//jackson-annotations-2.13.2.jar
 jackson-core-asl/1.9.13//jackson-core-asl-1.9.13.jar
 jackson-core/2.13.2//jackson-core-2.13.2.jar
-jackson-databind/2.13.2//jackson-databind-2.13.2.jar
+jackson-databind/2.13.2.1//jackson-databind-2.13.2.1.jar
 jackson-dataformat-cbor/2.13.2//jackson-dataformat-cbor-2.13.2.jar
 jackson-dataformat-yaml/2.13.2//jackson-dataformat-yaml-2.13.2.jar
-jackson-datatype-jsr310/2.13.1//jackson-datatype-jsr310-2.13.1.jar
+jackson-datatype-jsr310/2.13.2//jackson-datatype-jsr310-2.13.2.jar
 jackson-jaxrs/1.9.13//jackson-jaxrs-1.9.13.jar
 jackson-mapper-asl/1.9.13//jackson-mapper-asl-1.9.13.jar
 jackson-module-scala_2.12/2.13.2//jackson-module-scala_2.12-2.13.2.jar
diff --git a/dev/deps/spark-deps-hadoop-3-hive-2.3 b/dev/deps/spark-deps-hadoop-3-hive-2.3
index 1389bef..7752853 100644
--- a/dev/deps/spark-deps-hadoop-3-hive-2.3
+++ b/dev/deps/spark-deps-hadoop-3-hive-2.3
@@ -104,10 +104,10 @@ ivy/2.5.0//ivy-2.5.0.jar
 jackson-annotations/2.13.2//jackson-annotations-2.13.2.jar
 jackson-core-asl/1.9.13//jackson-core-asl-1.9.13.jar
 jackson-core/2.13.2//jackson-core-2.13.2.jar
-jackson-databind/2.13.2//jackson-databind-2.13.2.jar
+jackson-databind/2.13.2.1//jackson-databind-2.13.2.1.jar
 jackson-dataformat-cbor/2.13.2//jackson-dataformat-cbor-2.13.2.jar
 jackson-dataformat-yaml/2.13.2//jackson-dataformat-yaml-2.13.2.jar
-jackson-datatype-jsr310/2.13.1//jackson-datatype-jsr310-2.13.1.jar
+jackson-datatype-jsr310/2.13.2//jackson-datatype-jsr310-2.13.2.jar
 jackson-mapper-asl/1.9.13//jackson-mapper-asl-1.9.13.jar
 jackson-module-scala_2.12/2.13.2//jackson-module-scala_2.12-2.13.2.jar
 jakarta.annotation-api/1.3.5//jakarta.annotation-api-1.3.5.jar
diff --git a/pom.xml b/pom.xml
index e834ded..82eda7d 100644
--- a/pom.xml
+++ b/pom.xml
@@ -175,6 +175,7 @@
     <scalafmt.skip>true</scalafmt.skip>
     <codehaus.jackson.version>1.9.13</codehaus.jackson.version>
     <fasterxml.jackson.version>2.13.2</fasterxml.jackson.version>
+    <fasterxml.jackson.databind.version>2.13.2.1</fasterxml.jackson.databind.version>
     <snappy.version>1.1.8.4</snappy.version>
     <netlib.java.version>1.1.2</netlib.java.version>
     <netlib.ludovic.dev.version>2.2.1</netlib.ludovic.dev.version>
@@ -935,13 +936,18 @@
       <dependency>
         <groupId>com.fasterxml.jackson.core</groupId>
         <artifactId>jackson-databind</artifactId>
-        <version>${fasterxml.jackson.version}</version>
+        <version>${fasterxml.jackson.databind.version}</version>
       </dependency>
       <dependency>
         <groupId>com.fasterxml.jackson.core</groupId>
         <artifactId>jackson-annotations</artifactId>
         <version>${fasterxml.jackson.version}</version>
       </dependency>
+      <dependency>
+        <groupId>com.fasterxml.jackson.datatype</groupId>
+        <artifactId>jackson-datatype-jsr310</artifactId>
+        <version>${fasterxml.jackson.version}</version>
+      </dependency>
       <!-- Guava is excluded because of SPARK-6149.  The Guava version referenced in this module is
            15.0, which causes runtime incompatibility issues. -->
       <dependency>

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@spark.apache.org
For additional commands, e-mail: commits-help@spark.apache.org