[
https://issues.apache.org/jira/browse/CALCITE-2154?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Julian Hyde updated CALCITE-2154:
---------------------------------
Description:
Calcite now uses FasterXML Jackson 2.6.3. Please upgrade to last version of
FasterXML Jackson (on 2018-01-30 it's version 2.9.4).
I hope that fixing pom.xml files and running tests is enough.
See also CALCITE-1021, KYLIN-3027.
was:
Calcite now uses FasterXML Jackson 2.6.3 that has known security
vulnerabilities:
* CVE-2017-7525 is prone to a remote-code execution vulnerability.
Successfully exploiting this issue allows attackers to execute arbitrary code
in the context of the affected application. Failed exploits will result in
denial-of-service conditions.
* CVE-2017-15095 describes more deserialization exploits for jackson-databind
as a follow-up to CVE-2017-7525.
* CVE-2017-17485 is about jackson-databind up to 2.9.3 allowing
unauthenticated remote code execution because of an incomplete fix for the
CVE-2017-7525 deserialization flaw.
* CVE-2018-5968 is about jackson-databind up to 2.9.3 allowing unauthenticated
remote code execution because of an incomplete fix for the CVE-2017-7525 and
CVE-2017-17485 deserialization flaws.
Please upgrade to last version of FasterXML Jackson (on 2018-01-30 it's version
2.9.4).
I hope that fixing pom.xml files and running tests is enough.
(See also JIRA:CALCITE-1021, JIRA:KYLIN-3027)
> upgrade jackson
> ----------------
>
> Key: CALCITE-2154
> URL: https://issues.apache.org/jira/browse/CALCITE-2154
> Project: Calcite
> Issue Type: Bug
> Components: avatica, core
> Affects Versions: 1.15.0
> Reporter: Alexey Roytman
> Assignee: Julian Hyde
> Priority: Major
>
> Calcite now uses FasterXML Jackson 2.6.3. Please upgrade to last version of
> FasterXML Jackson (on 2018-01-30 it's version 2.9.4).
> I hope that fixing pom.xml files and running tests is enough.
> See also CALCITE-1021, KYLIN-3027.
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)