[jira] [Updated] (HBASE-22728) Upgrade jackson dependencies in branch-1

Fri, 16 Aug 2019 00:17:56 -0700 


     [ 
https://issues.apache.org/jira/browse/HBASE-22728?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Viraj Jasani updated HBASE-22728:
---------------------------------
    Release Note: 
1. Stopped using Jackson1(org.codehaus.jackson*) in HBase code base. 
2. Upgraded to Jackson2(com.fasterxml.jackson*) instead. 
3. Stopped exposing vulnerable Jackson1 dependencies 
(org.codehaus.jackson:jackson-mapper-asl:1.9.13) so that downstreamers would 
not pull it in from HBase.
4. However, since Hadoop requires this dependency, put vulnerable jackson at 
compile scope in hbase-assembly module so that HBase tarball contains this 
mapper jar in lib. Still, downsteam applications can't pull in Jackson1 from 
HBase.
5. Upgraded maven assembly plugin to 3.1.1.

  was:
1. Stopped using Jackson1(org.codehaus.jackson*) in HBase code base. 
2. Upgraded to Jackson2(com.fasterxml.jackson*) instead. 
3. Stopped exposing vulnerable Jackson1 dependencies 
(org.codehaus.jackson:jackson-mapper-asl:1.9.13) so that downstreamers would 
not pull it in from HBase.
4. However, since Hadoop requires this dependency, put vulnerable jackson at 
compile scope in hbase-assembly module so that tarball generated contains this 
mapper jar in lib. Still, downsteam applications can't pull in Jackson1 from 
HBase.
5. Upgraded maven assembly plugin to 3.1.1.


> Upgrade jackson dependencies in branch-1
> ----------------------------------------
>
>                 Key: HBASE-22728
>                 URL: https://issues.apache.org/jira/browse/HBASE-22728
>             Project: HBase
>          Issue Type: Sub-task
>    Affects Versions: 1.4.10, 1.3.5, 1.3.6
>            Reporter: Andrew Purtell
>            Assignee: Viraj Jasani
>            Priority: Major
>             Fix For: 1.5.0, 1.4.11
>
>         Attachments: HBASE-22728-addendum.patch, HBASE-22728-addendum.patch, 
> HBASE-22728.branch-1.01.patch, HBASE-22728.branch-1.02.patch, 
> HBASE-22728.branch-1.04.patch, HBASE-22728.branch-1.06.patch, 
> HBASE-22728.branch-1.10.patch, HBASE-22728.branch-1.11.patch, 
> HBASE-22728.branch-1.12.patch, HBASE-22728.branch-1.14.patch, 
> HBASE-22728.branch-1.15.patch, HBASE-22728.branch-1.16.patch, 
> HBASE-22728.branch-1.18.patch, HBASE-22728.branch-1.19.patch
>
>
> Avoid Jackson versions and dependencies with known CVEs



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

Reply via email to