[
https://issues.apache.org/jira/browse/DRILL-5725?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16135720#comment-16135720
]
ASF GitHub Bot commented on DRILL-5725:
---------------------------------------
Github user paul-rogers commented on the issue:
https://github.com/apache/drill/pull/908
A careful read of the [Maven dependency
mechanism](https://maven.apache.org/guides/introduction/introduction-to-dependency-mechanism.html)
shows that, in general, we can have conflicts. We would have a conflict if the
Drill root pom.xml added Jackson 2.7.8, but some other project pulled in an
earlier (or, eventually, later) version. Since nearest wins, the dependency for
that project would win -- for that project, and would result in two copies of
Jackson appearing in Drill's build. We've run into such problems multiple times.
But, since that is not the case here, this change is fine.
+1
> Update Jackson version to 2.7.8
> -------------------------------
>
> Key: DRILL-5725
> URL: https://issues.apache.org/jira/browse/DRILL-5725
> Project: Apache Drill
> Issue Type: Bug
> Affects Versions: 1.11.0
> Reporter: Volodymyr Vysotskyi
> Assignee: Volodymyr Vysotskyi
>
> Currently, Drill uses Jackson 2.7.1. The goal of this Jira is to update
> Jackson version to 2.7.8.
> All Jackson versions 2.7.x before 2.7.8 have [CVE-2016-7051
> vulnerability|https://nvd.nist.gov/vuln/detail/CVE-2016-7051].
> The problem was with the {{jackson-dataformat-xml}} module
> ([issue-211|https://github.com/FasterXML/jackson-dataformat-xml/issues/211]).
> Drill does not use this module yet, but we want to update the version for the
> case when we start to use this module.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
