[jira] [Commented] (ARROW-16143) [Java] Upgrade jackson dependencies
[
https://issues.apache.org/jira/browse/ARROW-16143?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17523964#comment-17523964
]
Hui Yu commented on ARROW-16143:
Thank you ! [~dsusanibara] [~lidavidm]
> [Java] Upgrade jackson dependencies
> ---
>
> Key: ARROW-16143
> URL: https://issues.apache.org/jira/browse/ARROW-16143
> Project: Apache Arrow
> Issue Type: Bug
> Components: Java
>Affects Versions: 7.0.0
>Reporter: Hui Yu
>Assignee: David Dali Susanibar Arce
>Priority: Blocker
> Labels: pull-request-available, security
> Fix For: 8.0.0
>
> Time Spent: 4h 40m
> Remaining Estimate: 0h
>
> CVE-2020-36518 (https://github.com/advisories/GHSA-57j2-w4cx-62h2) reports a
> security vulnerability for *jackson-databind*
> Now the version of jackson for the master branch of Arrow is {*}2.11.4{*},
> that is not safe.
> Can you upgrade the version of this depenency ?
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (ARROW-16143) [Java] Upgrade jackson dependencies
[
https://issues.apache.org/jira/browse/ARROW-16143?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17523746#comment-17523746
]
David Li commented on ARROW-16143:
--
Yes, so: just remove the individual dependencies from arrow-jdbc and replace it
with jackson-bom, and then just remove the extra property so that we always
only depend on jackson-bom.
> [Java] Upgrade jackson dependencies
> ---
>
> Key: ARROW-16143
> URL: https://issues.apache.org/jira/browse/ARROW-16143
> Project: Apache Arrow
> Issue Type: Bug
> Components: Java
>Affects Versions: 7.0.0
>Reporter: Hui Yu
>Assignee: David Dali Susanibar Arce
>Priority: Blocker
> Labels: pull-request-available, security
> Fix For: 8.0.0
>
> Time Spent: 2h 20m
> Remaining Estimate: 0h
>
> CVE-2020-36518 (https://github.com/advisories/GHSA-57j2-w4cx-62h2) reports a
> security vulnerability for *jackson-databind*
> Now the version of jackson for the master branch of Arrow is {*}2.11.4{*},
> that is not safe.
> Can you upgrade the version of this depenency ?
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (ARROW-16143) [Java] Upgrade jackson dependencies
[
https://issues.apache.org/jira/browse/ARROW-16143?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17523745#comment-17523745
]
David Dali Susanibar Arce commented on ARROW-16143:
---
Sorry [~lidavidm] just read your comments.
I could suggest that version should be defined in parent pom.xml and not inside
modules, for this purpose, one option is delete jackson dependencies inside
module and use defined on the parent.
I see that proposed in https://github.com/apache/arrow/pull/12886/files is not
able to compile because last jackson dependencies are move to 2.13.2 and only
databind is moved to 2.13.2.1 or 2.13.2.2
> [Java] Upgrade jackson dependencies
> ---
>
> Key: ARROW-16143
> URL: https://issues.apache.org/jira/browse/ARROW-16143
> Project: Apache Arrow
> Issue Type: Bug
> Components: Java
>Affects Versions: 7.0.0
>Reporter: Hui Yu
>Assignee: David Dali Susanibar Arce
>Priority: Blocker
> Labels: pull-request-available, security
> Fix For: 8.0.0
>
> Time Spent: 2h 20m
> Remaining Estimate: 0h
>
> CVE-2020-36518 (https://github.com/advisories/GHSA-57j2-w4cx-62h2) reports a
> security vulnerability for *jackson-databind*
> Now the version of jackson for the master branch of Arrow is {*}2.11.4{*},
> that is not safe.
> Can you upgrade the version of this depenency ?
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (ARROW-16143) [Java] Upgrade jackson dependencies
[
https://issues.apache.org/jira/browse/ARROW-16143?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17523744#comment-17523744
]
David Dali Susanibar Arce commented on ARROW-16143:
---
I see that, version is defined inside some modules, just deleted that line of
version: ${dep.jackson.version}
Question [~lidavidm] Need to send another PR or github ticket could be
reopened?
> [Java] Upgrade jackson dependencies
> ---
>
> Key: ARROW-16143
> URL: https://issues.apache.org/jira/browse/ARROW-16143
> Project: Apache Arrow
> Issue Type: Bug
> Components: Java
>Affects Versions: 7.0.0
>Reporter: Hui Yu
>Assignee: David Dali Susanibar Arce
>Priority: Blocker
> Labels: pull-request-available, security
> Fix For: 8.0.0
>
> Time Spent: 2h 20m
> Remaining Estimate: 0h
>
> CVE-2020-36518 (https://github.com/advisories/GHSA-57j2-w4cx-62h2) reports a
> security vulnerability for *jackson-databind*
> Now the version of jackson for the master branch of Arrow is {*}2.11.4{*},
> that is not safe.
> Can you upgrade the version of this depenency ?
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (ARROW-16143) [Java] Upgrade jackson dependencies
[
https://issues.apache.org/jira/browse/ARROW-16143?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17523739#comment-17523739
]
David Li commented on ARROW-16143:
--
[~dsusanibara] see https://github.com/apache/arrow/pull/12886, I think we
should just make arrow-jdbc depend on jackson-bom instead of individual modules
> [Java] Upgrade jackson dependencies
> ---
>
> Key: ARROW-16143
> URL: https://issues.apache.org/jira/browse/ARROW-16143
> Project: Apache Arrow
> Issue Type: Bug
> Components: Java
>Affects Versions: 7.0.0
>Reporter: Hui Yu
>Assignee: David Dali Susanibar Arce
>Priority: Blocker
> Labels: pull-request-available, security
> Fix For: 8.0.0
>
> Time Spent: 2h 20m
> Remaining Estimate: 0h
>
> CVE-2020-36518 (https://github.com/advisories/GHSA-57j2-w4cx-62h2) reports a
> security vulnerability for *jackson-databind*
> Now the version of jackson for the master branch of Arrow is {*}2.11.4{*},
> that is not safe.
> Can you upgrade the version of this depenency ?
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (ARROW-16143) [Java] Upgrade jackson dependencies
[
https://issues.apache.org/jira/browse/ARROW-16143?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17523738#comment-17523738
]
David Dali Susanibar Arce commented on ARROW-16143:
---
Hi Team,
Let me check that.
> [Java] Upgrade jackson dependencies
> ---
>
> Key: ARROW-16143
> URL: https://issues.apache.org/jira/browse/ARROW-16143
> Project: Apache Arrow
> Issue Type: Bug
> Components: Java
>Affects Versions: 7.0.0
>Reporter: Hui Yu
>Assignee: David Dali Susanibar Arce
>Priority: Blocker
> Labels: pull-request-available, security
> Fix For: 8.0.0
>
> Time Spent: 2h 20m
> Remaining Estimate: 0h
>
> CVE-2020-36518 (https://github.com/advisories/GHSA-57j2-w4cx-62h2) reports a
> security vulnerability for *jackson-databind*
> Now the version of jackson for the master branch of Arrow is {*}2.11.4{*},
> that is not safe.
> Can you upgrade the version of this depenency ?
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (ARROW-16143) [Java] Upgrade jackson dependencies
[
https://issues.apache.org/jira/browse/ARROW-16143?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17523480#comment-17523480
]
Hui Yu commented on ARROW-16143:
Hi [~lidavidm] [~dsusanibara]
Sorry to distrurb you, is `arrow-jdbc` upgrade in progress now ?
> [Java] Upgrade jackson dependencies
> ---
>
> Key: ARROW-16143
> URL: https://issues.apache.org/jira/browse/ARROW-16143
> Project: Apache Arrow
> Issue Type: Bug
> Components: Java
>Affects Versions: 7.0.0
>Reporter: Hui Yu
>Assignee: David Dali Susanibar Arce
>Priority: Blocker
> Labels: pull-request-available, security
> Fix For: 8.0.0
>
> Time Spent: 2h 20m
> Remaining Estimate: 0h
>
> CVE-2020-36518 (https://github.com/advisories/GHSA-57j2-w4cx-62h2) reports a
> security vulnerability for *jackson-databind*
> Now the version of jackson for the master branch of Arrow is {*}2.11.4{*},
> that is not safe.
> Can you upgrade the version of this depenency ?
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (ARROW-16143) [Java] Upgrade jackson dependencies
[
https://issues.apache.org/jira/browse/ARROW-16143?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17521015#comment-17521015
]
Hui Yu commented on ARROW-16143:
Hi [~lidavidm] [~asha]
Do you have any plans to address this issus recently ? Thanks !
> [Java] Upgrade jackson dependencies
> ---
>
> Key: ARROW-16143
> URL: https://issues.apache.org/jira/browse/ARROW-16143
> Project: Apache Arrow
> Issue Type: Bug
> Components: Java
>Affects Versions: 7.0.0
>Reporter: Hui Yu
>Priority: Major
> Labels: security
> Fix For: 7.0.1, 8.0.0, 9.0.0
>
>
> CVE-2020-36518 (https://github.com/advisories/GHSA-57j2-w4cx-62h2) reports a
> security vulnerability for *jackson-databind*
> Now the version of jackson for the master branch of Arrow is {*}2.11.4{*},
> that is not safe.
> Can you upgrade the version of this depenency ?
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (ARROW-16143) [Java] Upgrade jackson dependencies
[
https://issues.apache.org/jira/browse/ARROW-16143?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17518907#comment-17518907
]
David Li commented on ARROW-16143:
--
CC [~dsusanibara] we should get this in before 8.0
> [Java] Upgrade jackson dependencies
> ---
>
> Key: ARROW-16143
> URL: https://issues.apache.org/jira/browse/ARROW-16143
> Project: Apache Arrow
> Issue Type: Bug
> Components: Java
>Affects Versions: 7.0.0
>Reporter: Hui Yu
>Priority: Major
> Labels: security
> Fix For: 7.0.1, 8.0.0, 9.0.0
>
>
> CVE-2020-36518 (https://github.com/advisories/GHSA-57j2-w4cx-62h2) reports a
> security vulnerability for *jackson-databind*
> Now the version of jackson for the master branch of Arrow is {*}2.11.4{*},
> that is not safe.
> Can you upgrade the version of this depenency ?
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
