[
https://issues.apache.org/jira/browse/OOZIE-3650?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17474492#comment-17474492
]
PJ Fanning commented on OOZIE-3650:
-----------------------------------
Thanks for clarifying [~asalamon74]
Looks like Spark 2.x uses old vulnerable versions of jackson too.
If Oozie spark version is so tied to one that Spark uses, would it make sense
to start by upgrading to
[https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.6.7.5]
- this is very very similar to 2.6.5 but has some CVE issues fixed ?
> upgrade jackson - ideally to v2.13.1
> ------------------------------------
>
> Key: OOZIE-3650
> URL: https://issues.apache.org/jira/browse/OOZIE-3650
> Project: Oozie
> Issue Type: Improvement
> Reporter: PJ Fanning
> Priority: Major
>
> Oozie currently has a dependency on an old version of Jackson (2.6.5) -
> [https://github.com/apache/oozie/blob/master/pom.xml#L119]
> There are a number of CVEs open affecting this version.
> https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-databind/2.6.5
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
