[jira] [Commented] (PARQUET-2127) Security risk in latest parquet-jackson-1.12.2.jar

Thu, 07 Apr 2022 08:59:04 -0700 


    [ 
https://issues.apache.org/jira/browse/PARQUET-2127?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17518977#comment-17518977
 ] 

ASF GitHub Bot commented on PARQUET-2127:
-----------------------------------------

JackBuggins opened a new pull request, #955:
URL: https://github.com/apache/parquet-mr/pull/955

   address the following cve 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36518
   
   Make sure you have checked _all_ steps below.
   
   ### Jira
   
   - [x] My PR addresses the following [Parquet 
Jira](https://issues.apache.org/jira/browse/PARQUET-2127) issues and references 
them in the PR title. For example, "PARQUET-1234: My Parquet PR"
     - https://issues.apache.org/jira/browse/PARQUET-2127
     - In case you are adding a dependency, check if the license complies with 
the [ASF 3rd Party License 
Policy](https://www.apache.org/legal/resolved.html#category-x).
   
   ### Tests
   
   - [x] CI
   
   ### Commits
   
   - [x] My commits all reference Jira issues in their subject lines. In 
addition, my commits follow the guidelines from "[How to write a good git 
commit message](http://chris.beams.io/posts/git-commit/)":
     1. Subject is separated from body by a blank line
     1. Subject is limited to 50 characters (not including Jira issue reference)
     1. Subject does not end with a period
     1. Subject uses the imperative mood ("add", not "adding")
     1. Body wraps at 72 characters
     1. Body explains "what" and "why", not "how"
   
   ### Documentation
   
   - [x] In case of new functionality, my PR adds documentation that describes 
how to use it.
     - All the public functions and the classes in the PR contain Javadoc that 
explain what it does
   




> Security risk in latest parquet-jackson-1.12.2.jar
> --------------------------------------------------
>
>                 Key: PARQUET-2127
>                 URL: https://issues.apache.org/jira/browse/PARQUET-2127
>             Project: Parquet
>          Issue Type: Improvement
>            Reporter: phoebe chen
>            Priority: Major
>
> Embed jackson-databind:2.11.4 has security risk of Possible DoS if using JDK 
> serialization to serialize JsonNode 
> ([https://github.com/FasterXML/jackson-databind/issues/3328] ), upgrade to 
> 2.13.1 can fix this.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to