[jira] [Updated] (HUDI-195) Bump jackson-databind to prevent deserialization loophole

sivabalan narayanan (Jira) Tue, 02 Nov 2021 08:09:07 -0700


     [ 
https://issues.apache.org/jira/browse/HUDI-195?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


sivabalan narayanan updated HUDI-195:
-------------------------------------
        Parent: HUDI-2668
    Issue Type: Sub-task  (was: Improvement)

> Bump jackson-databind to prevent deserialization loophole
> ---------------------------------------------------------
>
>                 Key: HUDI-195
>                 URL: https://issues.apache.org/jira/browse/HUDI-195
>             Project: Apache Hudi
>          Issue Type: Sub-task
>          Components: Code Cleanup, Writer Core
>            Reporter: vinoyang
>            Assignee: vinoyang
>            Priority: Major
>
> In Tencent, we can not use 2.6.4 of 
> com.fasterxml.jackson.core:jackson-databind. Because it exists 
> deserialization loophole. The description of loophole is here: 
> [https://www.cnvd.org.cn/flaw/show/CNVD-2017-04483] (unfortunately, it's a 
> Chinese web page).
> We recommend up to 2.7.9.2, 2.8.11 or 2.9.4+.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Updated] (HUDI-195) Bump jackson-databind to prevent deserialization loophole

Reply via email to