Sean Mackrory created HADOOP-15299:
--------------------------------------
Summary: Bump Hadoop's Jackson 2 dependency 2.9.x
Key: HADOOP-15299
URL: https://issues.apache.org/jira/browse/HADOOP-15299
Project: Hadoop Common
Issue Type: Bug
Affects Versions: 3.1.0, 3.2.0
Reporter: Sean Mackrory
Assignee: Sean Mackrory
There are a few new CVEs open against Jackson 2.7.x. It doesn't (necessarily)
mean Hadoop is vulnerable to the attack - I don't know that it is, but fixes
were released for 2.8.x and 2.9.x but not 2.7.x (which we're on). We shouldn't
be on an unmaintained line, regardless. HBase is already on 2.9.x, we have a
shaded client now, the API changes are relatively minor and so far in my
testing I haven't seen any problems. I think many of our usual reasons to
hesitate upgrading this dependency don't apply.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
