[
https://issues.apache.org/jira/browse/ARROW-16143?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17523745#comment-17523745
]
David Dali Susanibar Arce commented on ARROW-16143:
---------------------------------------------------
Sorry [~lidavidm] just read your comments.
I could suggest that version should be defined in parent pom.xml and not inside
modules, for this purpose, one option is delete jackson dependencies inside
module and use defined on the parent.
I see that proposed in https://github.com/apache/arrow/pull/12886/files is not
able to compile because last jackson dependencies are move to 2.13.2 and only
databind is moved to 2.13.2.1 or 2.13.2.2
> [Java] Upgrade jackson dependencies
> -----------------------------------
>
> Key: ARROW-16143
> URL: https://issues.apache.org/jira/browse/ARROW-16143
> Project: Apache Arrow
> Issue Type: Bug
> Components: Java
> Affects Versions: 7.0.0
> Reporter: Hui Yu
> Assignee: David Dali Susanibar Arce
> Priority: Blocker
> Labels: pull-request-available, security
> Fix For: 8.0.0
>
> Time Spent: 2h 20m
> Remaining Estimate: 0h
>
> CVE-2020-36518 (https://github.com/advisories/GHSA-57j2-w4cx-62h2) reports a
> security vulnerability for *jackson-databind*
> Now the version of jackson for the master branch of Arrow is {*}2.11.4{*},
> that is not safe.
> Can you upgrade the version of this depenency ?
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
