[ https://issues.apache.org/jira/browse/HBASE-22728?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Viraj Jasani updated HBASE-22728: --------------------------------- Release Note: 1. Stopped using Jackson1(org.codehaus.jackson*) in HBase code base. 2. Upgraded to Jackson2(com.fasterxml.jackson*) instead. 3. Stopped exposing vulnerable Jackson1 dependencies (org.codehaus.jackson:jackson-mapper-asl:1.9.13) so that downstreamers would not pull it in from HBase. 4. However, since Hadoop requires this dependency, put vulnerable jackson at compile scope in hbase-assembly module so that tarball generated contains this mapper jar in lib. Still, downsteam applications can't pull in Jackson1 from HBase. 5. Upgraded maven assembly plugin to 3.1.1. > Upgrade jackson dependencies in branch-1 > ---------------------------------------- > > Key: HBASE-22728 > URL: https://issues.apache.org/jira/browse/HBASE-22728 > Project: HBase > Issue Type: Sub-task > Affects Versions: 1.4.10, 1.3.5, 1.3.6 > Reporter: Andrew Purtell > Assignee: Viraj Jasani > Priority: Major > Fix For: 1.5.0, 1.4.11 > > Attachments: HBASE-22728-addendum.patch, HBASE-22728-addendum.patch, > HBASE-22728.branch-1.01.patch, HBASE-22728.branch-1.02.patch, > HBASE-22728.branch-1.04.patch, HBASE-22728.branch-1.06.patch, > HBASE-22728.branch-1.10.patch, HBASE-22728.branch-1.11.patch, > HBASE-22728.branch-1.12.patch, HBASE-22728.branch-1.14.patch, > HBASE-22728.branch-1.15.patch, HBASE-22728.branch-1.16.patch, > HBASE-22728.branch-1.18.patch, HBASE-22728.branch-1.19.patch > > > Avoid Jackson versions and dependencies with known CVEs -- This message was sent by Atlassian JIRA (v7.6.14#76016)