[jira] [Updated] (HADOOP-19230) upgrade to jackson 2.14.3

Sat, 20 Jul 2024 10:10:04 -0700 


     [ 
https://issues.apache.org/jira/browse/HADOOP-19230?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

PJ Fanning updated HADOOP-19230:
--------------------------------
    Description: 
Follow up to HADOOP-18332

I have what I believe fixes the Jackson JAX-RS incompatibility.

https://github.com/pjfanning/jsr311-compat/

The reason that I want to start by just going to Jackson 2.14 is that Jackson 
has new StreamReadConstraints in Jackson 2.15 to protect against malicious JSON 
inputs. The constraints are generous but can cause issues with very large or 
deeply nested inputs.

Jackson has had a lot of security hardening fixes recently and it seems 
problematic to be stuck on an unsupported version of Jackson (2.12).

  was:
Follow up to HADOOP-18332

I have what I believe fixes the Jackson JAX-RS incompatibility.

https://github.com/pjfanning/jsr311-compat/

The reason that I want to start by just going to Jackson 2.14 is that Jackson 
has new StreamReadConstraints in Jackson 2.15 to protect against malicious JSON 
inputs. The constraints are generous but can cause issues with very large or 
deeply nested inputs.


> upgrade to jackson 2.14.3
> -------------------------
>
>                 Key: HADOOP-19230
>                 URL: https://issues.apache.org/jira/browse/HADOOP-19230
>             Project: Hadoop Common
>          Issue Type: Task
>          Components: common
>            Reporter: PJ Fanning
>            Priority: Major
>              Labels: pull-request-available
>
> Follow up to HADOOP-18332
> I have what I believe fixes the Jackson JAX-RS incompatibility.
> https://github.com/pjfanning/jsr311-compat/
> The reason that I want to start by just going to Jackson 2.14 is that Jackson 
> has new StreamReadConstraints in Jackson 2.15 to protect against malicious 
> JSON inputs. The constraints are generous but can cause issues with very 
> large or deeply nested inputs.
> Jackson has had a lot of security hardening fixes recently and it seems 
> problematic to be stuck on an unsupported version of Jackson (2.12).



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to