This is an automated email from the ASF dual-hosted git repository.
rmetzger pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/flink.git
The following commit(s) were added to refs/heads/master by this push:
new 412fc8c124f [FLINK-37078] Fix for jackson-mapper-asl 1.9.13
vulnerability (#25890)
412fc8c124f is described below
commit 412fc8c124f3ae4da64d28b4042680b25857bde1
Author: Anupam Aggarwal <[email protected]>
AuthorDate: Wed Apr 30 23:49:13 2025 +0530
[FLINK-37078] Fix for jackson-mapper-asl 1.9.13 vulnerability (#25890)
---
.../src/main/resources/META-INF/NOTICE | 2 +-
flink-filesystems/flink-hadoop-fs/pom.xml | 6 ++++++
pom.xml | 14 ++++++++++++++
3 files changed, 21 insertions(+), 1 deletion(-)
diff --git
a/flink-filesystems/flink-azure-fs-hadoop/src/main/resources/META-INF/NOTICE
b/flink-filesystems/flink-azure-fs-hadoop/src/main/resources/META-INF/NOTICE
index 80666b43776..b5cec2b61ec 100644
--- a/flink-filesystems/flink-azure-fs-hadoop/src/main/resources/META-INF/NOTICE
+++ b/flink-filesystems/flink-azure-fs-hadoop/src/main/resources/META-INF/NOTICE
@@ -15,7 +15,7 @@ This project bundles the following dependencies under the
Apache Software Licens
- org.apache.httpcomponents:httpclient:4.5.13
- org.apache.httpcomponents:httpcore:4.4.14
- org.codehaus.jackson:jackson-core-asl:1.9.13
-- org.codehaus.jackson:jackson-mapper-asl:1.9.13
+- org.codehaus.jackson:jackson-mapper-asl:1.9.14.jdk17-redhat-00001
- org.eclipse.jetty:jetty-util-ajax:9.3.24.v20180605
- org.eclipse.jetty:jetty-util:9.3.24.v20180605
- org.wildfly.openssl:wildfly-openssl:1.0.7.Final
diff --git a/flink-filesystems/flink-hadoop-fs/pom.xml
b/flink-filesystems/flink-hadoop-fs/pom.xml
index aa2f6237f3a..ae55f6970ed 100644
--- a/flink-filesystems/flink-hadoop-fs/pom.xml
+++ b/flink-filesystems/flink-hadoop-fs/pom.xml
@@ -59,6 +59,12 @@ under the License.
<!-- Hadoop as an optional dependency, so we can hard depend on
this without -->
<!-- pulling in Hadoop by default -->
+ <!-- Pin jackson-mapper-asl to resolve vulnerability in
hadoop-common (FLINK-37078) -->
+ <dependency>
+ <groupId>org.codehaus.jackson</groupId>
+ <artifactId>jackson-mapper-asl</artifactId>
+ <optional>true</optional>
+ </dependency>
<dependency>
<groupId>org.apache.hadoop</groupId>
diff --git a/pom.xml b/pom.xml
index ae56a3c8ce8..7dc9468bd07 100644
--- a/pom.xml
+++ b/pom.xml
@@ -50,6 +50,12 @@ under the License.
</scm>
<repositories>
+ <!-- Add Redhat GA repository for jackson-mapper-asl -->
+ <repository>
+ <id>redhat</id>
+ <url>https://maven.repository.redhat.com/ga/</url>
+ </repository>
+
<repository>
<id>repository.jboss.org</id>
<url>https://repository.jboss.org/nexus/content/groups/public/</url>
@@ -143,6 +149,7 @@ under the License.
<curator.version>5.4.0</curator.version>
<avro.version>1.11.4</avro.version>
<!-- Version for transitive Jackson dependencies that are not
used within Flink itself.-->
+
<jackson.mapper.asl.version>1.9.14.jdk17-redhat-00001</jackson.mapper.asl.version>
<jackson-bom.version>2.18.2</jackson-bom.version>
<javax.activation.api.version>1.2.0</javax.activation.api.version>
<jaxb.api.version>2.3.1</jaxb.api.version>
@@ -326,6 +333,13 @@ under the License.
-->
<dependencies>
+ <!-- Setting default version for jackson-mapper-asl -->
+ <dependency>
+ <groupId>org.codehaus.jackson</groupId>
+ <artifactId>jackson-mapper-asl</artifactId>
+ <version>${jackson.mapper.asl.version}</version>
+ </dependency>
+
<dependency>
<groupId>org.apache.flink</groupId>
<artifactId>flink-shaded-force-shading</artifactId>
