[
https://issues.apache.org/jira/browse/HADOOP-18033?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17564712#comment-17564712
]
Viraj Jasani commented on HADOOP-18033:
---------------------------------------
{quote}In my past experience, Jersey 2.x upgrade takes a lot of time and I
think it will cause some incompatible changes.
{quote}
I agree that 3.3 subsequent releases should not wait for Jersey 2 because of
the sheer volume of changes and incompatibility with Jersey 1.
>From my previous comment:
{quote}FWIW, although Hadoop 3.3 could revert this for 3.3.4 release but from
security viewpoint, staying up with latest Jackson2 is also in good favour of
3.3 release line, given that 3.3 is the latest release line.
{quote}
we might have to call out on the Jackson CVE that we claimed to have fixed with
3.3.2 and 3.3.3 and now 3.3.4 would get it exposed with the revert.
IIRC, Jersey 1.19 is not flagged by security for active CVEs but Jackson
versions <= 2.12 are?
> Upgrade fasterxml Jackson to 2.13.0
> -----------------------------------
>
> Key: HADOOP-18033
> URL: https://issues.apache.org/jira/browse/HADOOP-18033
> Project: Hadoop Common
> Issue Type: Improvement
> Components: build
> Reporter: Akira Ajisaka
> Assignee: Viraj Jasani
> Priority: Major
> Labels: pull-request-available
> Fix For: 3.4.0, 3.3.2
>
> Time Spent: 5.5h
> Remaining Estimate: 0h
>
> Spark 3.2.0 depends on Jackson 2.12.3. Let's upgrade to 2.12.5 (2.12.x latest
> as of now) or upper.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
