[
https://issues.apache.org/jira/browse/SPARK-20433?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andrew Ash updated SPARK-20433:
---
Description:
There was a security vulnerability recently reported to the upstream
jackson-databind project at
https://github.com/FasterXML/jackson-databind/issues/1599 which now has a fix
released.
>From my reading of that, versions 2.7.9.1, 2.8.8.1, and 2.9.0.pr3 are the
>first fixed versions in their respectful 2.X branches, and versions in the
>2.6.X line and earlier remain vulnerable. UPDATE: now the 2.6.X line has a
>patch as well: 2.6.7.1 as mentioned at
>https://github.com/FasterXML/jackson-databind/issues/1599#issuecomment-315486340
Right now Spark master branch is on 2.6.5:
https://github.com/apache/spark/blob/master/pom.xml#L164
and Hadoop branch-2.7 is on 2.2.3:
https://github.com/apache/hadoop/blob/branch-2.7/hadoop-project/pom.xml#L71
and Hadoop branch-3.0.0-alpha2 is on 2.7.8:
https://github.com/apache/hadoop/blob/branch-3.0.0-alpha2/hadoop-project/pom.xml#L74
We should bump Spark from 2.6.5 to 2.6.7.1 to get a patched version of this
library for the next Spark release.
was:
There was a security vulnerability recently reported to the upstream
jackson-databind project at
https://github.com/FasterXML/jackson-databind/issues/1599 which now has a fix
released.
>From my reading of that, versions 2.7.9.1, 2.8.8.1, and 2.9.0.pr3 are the
>first fixed versions in their respectful 2.X branches, and versions in the
>2.6.X line and earlier remain vulnerable.
Right now Spark master branch is on 2.6.5:
https://github.com/apache/spark/blob/master/pom.xml#L164
and Hadoop branch-2.7 is on 2.2.3:
https://github.com/apache/hadoop/blob/branch-2.7/hadoop-project/pom.xml#L71
and Hadoop branch-3.0.0-alpha2 is on 2.7.8:
https://github.com/apache/hadoop/blob/branch-3.0.0-alpha2/hadoop-project/pom.xml#L74
We should try to find to find a way to get on a patched version of jackson-bind
for the Spark 2.2.0 release.
> Update jackson-databind to 2.6.7.1
> --
>
> Key: SPARK-20433
> URL: https://issues.apache.org/jira/browse/SPARK-20433
> Project: Spark
> Issue Type: Improvement
> Components: Spark Core
>Affects Versions: 2.1.0
>Reporter: Andrew Ash
>Priority: Minor
>
> There was a security vulnerability recently reported to the upstream
> jackson-databind project at
> https://github.com/FasterXML/jackson-databind/issues/1599 which now has a fix
> released.
> From my reading of that, versions 2.7.9.1, 2.8.8.1, and 2.9.0.pr3 are the
> first fixed versions in their respectful 2.X branches, and versions in the
> 2.6.X line and earlier remain vulnerable. UPDATE: now the 2.6.X line has a
> patch as well: 2.6.7.1 as mentioned at
> https://github.com/FasterXML/jackson-databind/issues/1599#issuecomment-315486340
> Right now Spark master branch is on 2.6.5:
> https://github.com/apache/spark/blob/master/pom.xml#L164
> and Hadoop branch-2.7 is on 2.2.3:
> https://github.com/apache/hadoop/blob/branch-2.7/hadoop-project/pom.xml#L71
> and Hadoop branch-3.0.0-alpha2 is on 2.7.8:
> https://github.com/apache/hadoop/blob/branch-3.0.0-alpha2/hadoop-project/pom.xml#L74
> We should bump Spark from 2.6.5 to 2.6.7.1 to get a patched version of this
> library for the next Spark release.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
-
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org