[GitHub] [spark] ScrapCodes opened a new pull request #29334: [SPARK-32495][2.4] Update jackson versions to a maintained release, to fix various security vulnerabilities.

Fri, 14 Aug 2020 00:13:54 -0700 


ScrapCodes opened a new pull request #29334:
URL: https://github.com/apache/spark/pull/29334


   <!--
   Thanks for sending a pull request!  Here are some tips for you:
     1. If this is your first time, please read our contributor guidelines: 
https://spark.apache.org/contributing.html
     2. Ensure you have added or run the appropriate tests for your PR: 
https://spark.apache.org/developer-tools.html
     3. If the PR is unfinished, add '[WIP]' in your PR title, e.g., 
'[WIP][SPARK-XXXX] Your PR title ...'.
     4. Be sure to keep the PR description updated to reflect all changes.
     5. Please write your PR title to summarize what this PR proposes.
     6. If possible, provide a concise example to reproduce the issue for a 
faster review.
     7. If you want to add a new configuration, please read the guideline first 
for naming configurations in
        
'core/src/main/scala/org/apache/spark/internal/config/ConfigEntry.scala'.
   -->
   
   ### What changes were proposed in this pull request?
   
   Update pom, with the latest release of jackson to 2.9.10 and 2.9.10.5. Which 
have fixes for all the reported CVEs so far - as per github advisories page.
   
   ### Why are the changes needed?
   
   Currently Apache Spark branch-2.4 depends on jackson release, which is not 
maintained (as per comment in 
https://github.com/FasterXML/jackson-databind/issues/2186#issuecomment-667243159).
 
   
   There are some CVEs reported on the issue SPARK-32495 , but my understanding 
is since the release is not a maintained version, the advisory info is not up 
to date.
   And it is also possible, that there are vulnerabilities which apply to 
higher version and are not yet reported for the un-maintained release.
   
   
   ### Does this PR introduce _any_ user-facing change?
   Yes, the downstream users of spark who continue to depend on the older 
jackson release, will have to upgrade too.
   If the package is affected with high severity security vulnerability, it 
might still be a good step.
   
   ### How was this patch tested?
   Existing tests.
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to