[
https://issues.apache.org/jira/browse/HADOOP-18587?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17703580#comment-17703580
]
Andras Katona commented on HADOOP-18587:
----------------------------------------
It's not enough just to upgrade the version in dependency management. If
jettison is coming only as transitive, whoever is pulling in that hadoop
library, will still get the wrong jettison.
example:
hadoop-common
{noformat}
org.example:untitled:jar:1.0-SNAPSHOT
\- org.apache.hadoop:hadoop-common:jar:3.4.0-SNAPSHOT:compile
...
+- com.github.pjfanning:jersey-json:jar:1.20:compile
| +- org.codehaus.jettison:jettison:jar:1.1:compile
...
{noformat}
When the module is a library (so it will be used outside of the actual
project), the correct dependency must be declared as direct dependency (and
optionally excluding from the dependency where it came from originally).
> upgrade to jettison 1.5.3 to fix CVE-2022-40150
> -----------------------------------------------
>
> Key: HADOOP-18587
> URL: https://issues.apache.org/jira/browse/HADOOP-18587
> Project: Hadoop Common
> Issue Type: Task
> Components: common
> Reporter: PJ Fanning
> Assignee: PJ Fanning
> Priority: Major
> Labels: pull-request-available
> Fix For: 3.4.0, 3.3.5
>
>
> [https://github.com/advisories/GHSA-x27m-9w8j-5vcw]
>
> [https://github.com/jettison-json/jettison/releases]
> v1.5.2 is flagged as fixing a CVE but a v1.5.3 was quickly released and
> appears ti fix some regressions caused by v1.5.2.
> Many hadoop tests fail when jettison 1.5.2 is used.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org
