[jira] [Commented] (SPARK-20433) Security issue with jackson-databind

Wed, 03 May 2017 04:01:55 -0700 

    [ 
https://issues.apache.org/jira/browse/SPARK-20433?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15994660#comment-15994660
 ] 

Hyukjin Kwon commented on SPARK-20433:
--------------------------------------

[~aash], What do you think about resolving this for now and opening a thread in 
mailing list? 

Probably, it is appropriate to open a JIRA to start a discussion but I was 
thinking it might be better if we open a discussion thread in dev-mailing list 
and verify if it is really an issue or not with other guys.

Another reason for this suggestion is, as we all already know, the number of 
JIRAs grows so fast and probably we should resolve some JIRAs that look 
possibly just leaving open without further actions.


> Security issue with jackson-databind
> ------------------------------------
>
>                 Key: SPARK-20433
>                 URL: https://issues.apache.org/jira/browse/SPARK-20433
>             Project: Spark
>          Issue Type: Bug
>          Components: Spark Core
>    Affects Versions: 2.1.0
>            Reporter: Andrew Ash
>              Labels: security
>
> There was a security vulnerability recently reported to the upstream 
> jackson-databind project at 
> https://github.com/FasterXML/jackson-databind/issues/1599 which now has a fix 
> released.
> From my reading of that, versions 2.7.9.1, 2.8.8.1, and 2.9.0.pr3 are the 
> first fixed versions in their respectful 2.X branches, and versions in the 
> 2.6.X line and earlier remain vulnerable.
> Right now Spark master branch is on 2.6.5: 
> https://github.com/apache/spark/blob/master/pom.xml#L164
> and Hadoop branch-2.7 is on 2.2.3: 
> https://github.com/apache/hadoop/blob/branch-2.7/hadoop-project/pom.xml#L71
> and Hadoop branch-3.0.0-alpha2 is on 2.7.8: 
> https://github.com/apache/hadoop/blob/branch-3.0.0-alpha2/hadoop-project/pom.xml#L74
> We should try to find to find a way to get on a patched version of 
> jackson-bind for the Spark 2.2.0 release.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org

Reply via email to