[
https://issues.apache.org/jira/browse/SPARK-32495?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17169800#comment-17169800
]
Prashant Sharma commented on SPARK-32495:
-----------------------------------------
In general, upgrading the version of a dependency can have a serious impact on
the downstream users. In the above case, both of the times you have mentioned
CVEs were found to be fixed in the version that spark currently depends on. It
might be the advisories database is not updated with it, I have tried to ping
the issues for fixing that.
Personally, I feel the version 2.6.x is not maintained by jackson community, it
might be affected by some security vulnerabilities that are not mentioned by
you. As we continue to release 2.4.x line, in my opinion we should move to a
maintained version of jackson. Therefore, I am going to make a PR and seek the
community approval for the same.
> Update jackson-databind versions to fix various vulnerabilities.
> ----------------------------------------------------------------
>
> Key: SPARK-32495
> URL: https://issues.apache.org/jira/browse/SPARK-32495
> Project: Spark
> Issue Type: Task
> Components: Spark Core
> Affects Versions: 2.4.6
> Reporter: SHOBHIT SHUKLA
> Priority: Major
>
> As a vulnerability for Fasterxml Jackson version 2.6.7.3 is affected by
> CVE-2017-15095 and CVE-2018-5968 CVEs
> [https://nvd.nist.gov/vuln/detail/CVE-2018-5968], Would it be possible to
> upgrade the jackson version for spark-2.4.6 and so on(2.4.x).
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
