[ https://issues.apache.org/jira/browse/ARROW-1242?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16121263#comment-16121263 ]
Matt Darwin edited comment on ARROW-1242 at 8/10/17 8:49 AM: ------------------------------------------------------------- Sorry [~wesmckinn], there was a bug in my PR and it's not changed the Jackson version. java/pom.xml defines a {{jackson.version}} variable, but in java/vector/pom.xml it doesn't use that variable. I've changed it in my branch and have submitted a new PR [PR 957|https://github.com/apache/arrow/pull/957] . was (Author: mdarwin): Sorry [~wesmckinn], there was a bug in my PR and it's not changed the Jackson version. java/pom.xml defines a {{jackson.version}} variable, but in java/vector/pom.xml it doesn't use that variable. I've changed it in my branch and have submitted a new PR #957. > [Java] security - upgrade Jackson to mitigate 3 CVE vulnerabilities > ------------------------------------------------------------------- > > Key: ARROW-1242 > URL: https://issues.apache.org/jira/browse/ARROW-1242 > Project: Apache Arrow > Issue Type: Bug > Components: Java - Memory, Java - Vectors > Affects Versions: 0.4.1 > Reporter: Matt Darwin > Assignee: Matt Darwin > Fix For: 0.6.0 > > > please consider upgrading jackson to mitigate its various vulnerabilities in > 2.7.1: > https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=jackson > see also > https://github.com/FasterXML/jackson-databind/issues/1599 -- This message was sent by Atlassian JIRA (v6.4.14#64029)