[jira] [Commented] (PARQUET-2127) Security risk in latest parquet-jackson-1.12.2.jar
[
https://issues.apache.org/jira/browse/PARQUET-2127?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17535915#comment-17535915
]
ASF GitHub Bot commented on PARQUET-2127:
-
JackBuggins commented on code in PR #955:
URL: https://github.com/apache/parquet-mr/pull/955#discussion_r871021974
##
pom.xml:
##
@@ -73,7 +73,7 @@
com.fasterxml.jackson.core
com.fasterxml.jackson
2.13.2
-${jackson.version}
+2.13.2.2
Review Comment:
Thanks @braiscouce
> Security risk in latest parquet-jackson-1.12.2.jar
> --
>
> Key: PARQUET-2127
> URL: https://issues.apache.org/jira/browse/PARQUET-2127
> Project: Parquet
> Issue Type: Improvement
>Reporter: phoebe chen
>Priority: Major
>
> Embed jackson-databind:2.11.4 has security risk of Possible DoS if using JDK
> serialization to serialize JsonNode
> ([https://github.com/FasterXML/jackson-databind/issues/3328] ), upgrade to
> 2.13.1 can fix this.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Commented] (PARQUET-2127) Security risk in latest parquet-jackson-1.12.2.jar
[
https://issues.apache.org/jira/browse/PARQUET-2127?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17534994#comment-17534994
]
ASF GitHub Bot commented on PARQUET-2127:
-
braiscouce commented on code in PR #955:
URL: https://github.com/apache/parquet-mr/pull/955#discussion_r870348560
##
pom.xml:
##
@@ -73,7 +73,7 @@
com.fasterxml.jackson.core
com.fasterxml.jackson
2.13.2
-${jackson.version}
+2.13.2.2
Review Comment:
jackson-databind has a different versioning. They released two micro-patches
to resolve a CVE.
[Here](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.13) there is
more information about the release.
> Security risk in latest parquet-jackson-1.12.2.jar
> --
>
> Key: PARQUET-2127
> URL: https://issues.apache.org/jira/browse/PARQUET-2127
> Project: Parquet
> Issue Type: Improvement
>Reporter: phoebe chen
>Priority: Major
>
> Embed jackson-databind:2.11.4 has security risk of Possible DoS if using JDK
> serialization to serialize JsonNode
> ([https://github.com/FasterXML/jackson-databind/issues/3328] ), upgrade to
> 2.13.1 can fix this.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Commented] (PARQUET-2127) Security risk in latest parquet-jackson-1.12.2.jar
[
https://issues.apache.org/jira/browse/PARQUET-2127?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17534919#comment-17534919
]
ASF GitHub Bot commented on PARQUET-2127:
-
braiscouce commented on code in PR #955:
URL: https://github.com/apache/parquet-mr/pull/955#discussion_r870348560
##
pom.xml:
##
@@ -73,7 +73,7 @@
com.fasterxml.jackson.core
com.fasterxml.jackson
2.13.2
-${jackson.version}
+2.13.2.2
Review Comment:
jackson-databind has a different versioning. They released two micro-patches
to resolve a CVE.
[Here](https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.13)there is
more information about the release.
> Security risk in latest parquet-jackson-1.12.2.jar
> --
>
> Key: PARQUET-2127
> URL: https://issues.apache.org/jira/browse/PARQUET-2127
> Project: Parquet
> Issue Type: Improvement
>Reporter: phoebe chen
>Priority: Major
>
> Embed jackson-databind:2.11.4 has security risk of Possible DoS if using JDK
> serialization to serialize JsonNode
> ([https://github.com/FasterXML/jackson-databind/issues/3328] ), upgrade to
> 2.13.1 can fix this.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Commented] (PARQUET-2127) Security risk in latest parquet-jackson-1.12.2.jar
[
https://issues.apache.org/jira/browse/PARQUET-2127?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17531840#comment-17531840
]
ASF GitHub Bot commented on PARQUET-2127:
-
shangxinli commented on code in PR #955:
URL: https://github.com/apache/parquet-mr/pull/955#discussion_r865064710
##
pom.xml:
##
@@ -73,7 +73,7 @@
com.fasterxml.jackson.core
com.fasterxml.jackson
2.13.2
-${jackson.version}
+2.13.2.2
Review Comment:
What is the reason that we split the two versions(jackson.version,
jackson-databind.version)?
> Security risk in latest parquet-jackson-1.12.2.jar
> --
>
> Key: PARQUET-2127
> URL: https://issues.apache.org/jira/browse/PARQUET-2127
> Project: Parquet
> Issue Type: Improvement
>Reporter: phoebe chen
>Priority: Major
>
> Embed jackson-databind:2.11.4 has security risk of Possible DoS if using JDK
> serialization to serialize JsonNode
> ([https://github.com/FasterXML/jackson-databind/issues/3328] ), upgrade to
> 2.13.1 can fix this.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Commented] (PARQUET-2127) Security risk in latest parquet-jackson-1.12.2.jar
[ https://issues.apache.org/jira/browse/PARQUET-2127?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17531612#comment-17531612 ] Brais Couce commented on PARQUET-2127: -- Hi, I see that the first PR was merged into master and there is a second PR to update again the version. Does this means that this ticket will be included in the next version (1.13.0)? Do you know if there is release date? Regards. > Security risk in latest parquet-jackson-1.12.2.jar > -- > > Key: PARQUET-2127 > URL: https://issues.apache.org/jira/browse/PARQUET-2127 > Project: Parquet > Issue Type: Improvement >Reporter: phoebe chen >Priority: Major > > Embed jackson-databind:2.11.4 has security risk of Possible DoS if using JDK > serialization to serialize JsonNode > ([https://github.com/FasterXML/jackson-databind/issues/3328] ), upgrade to > 2.13.1 can fix this. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (PARQUET-2127) Security risk in latest parquet-jackson-1.12.2.jar
[ https://issues.apache.org/jira/browse/PARQUET-2127?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17518986#comment-17518986 ] ASF GitHub Bot commented on PARQUET-2127: - JackBuggins commented on PR #955: URL: https://github.com/apache/parquet-mr/pull/955#issuecomment-1091923632 @shangxinli - would you mind taking a look at this one since you recently reviewed a similar change? > Security risk in latest parquet-jackson-1.12.2.jar > -- > > Key: PARQUET-2127 > URL: https://issues.apache.org/jira/browse/PARQUET-2127 > Project: Parquet > Issue Type: Improvement >Reporter: phoebe chen >Priority: Major > > Embed jackson-databind:2.11.4 has security risk of Possible DoS if using JDK > serialization to serialize JsonNode > ([https://github.com/FasterXML/jackson-databind/issues/3328] ), upgrade to > 2.13.1 can fix this. -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (PARQUET-2127) Security risk in latest parquet-jackson-1.12.2.jar
[
https://issues.apache.org/jira/browse/PARQUET-2127?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17518977#comment-17518977
]
ASF GitHub Bot commented on PARQUET-2127:
-
JackBuggins opened a new pull request, #955:
URL: https://github.com/apache/parquet-mr/pull/955
address the following cve
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36518
Make sure you have checked _all_ steps below.
### Jira
- [x] My PR addresses the following [Parquet
Jira](https://issues.apache.org/jira/browse/PARQUET-2127) issues and references
them in the PR title. For example, "PARQUET-1234: My Parquet PR"
- https://issues.apache.org/jira/browse/PARQUET-2127
- In case you are adding a dependency, check if the license complies with
the [ASF 3rd Party License
Policy](https://www.apache.org/legal/resolved.html#category-x).
### Tests
- [x] CI
### Commits
- [x] My commits all reference Jira issues in their subject lines. In
addition, my commits follow the guidelines from "[How to write a good git
commit message](http://chris.beams.io/posts/git-commit/)":
1. Subject is separated from body by a blank line
1. Subject is limited to 50 characters (not including Jira issue reference)
1. Subject does not end with a period
1. Subject uses the imperative mood ("add", not "adding")
1. Body wraps at 72 characters
1. Body explains "what" and "why", not "how"
### Documentation
- [x] In case of new functionality, my PR adds documentation that describes
how to use it.
- All the public functions and the classes in the PR contain Javadoc that
explain what it does
> Security risk in latest parquet-jackson-1.12.2.jar
> --
>
> Key: PARQUET-2127
> URL: https://issues.apache.org/jira/browse/PARQUET-2127
> Project: Parquet
> Issue Type: Improvement
>Reporter: phoebe chen
>Priority: Major
>
> Embed jackson-databind:2.11.4 has security risk of Possible DoS if using JDK
> serialization to serialize JsonNode
> ([https://github.com/FasterXML/jackson-databind/issues/3328] ), upgrade to
> 2.13.1 can fix this.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (PARQUET-2127) Security risk in latest parquet-jackson-1.12.2.jar
[ https://issues.apache.org/jira/browse/PARQUET-2127?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17510122#comment-17510122 ] ASF GitHub Bot commented on PARQUET-2127: - shangxinli merged pull request #952: URL: https://github.com/apache/parquet-mr/pull/952 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@parquet.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org > Security risk in latest parquet-jackson-1.12.2.jar > -- > > Key: PARQUET-2127 > URL: https://issues.apache.org/jira/browse/PARQUET-2127 > Project: Parquet > Issue Type: Improvement >Reporter: phoebe chen >Priority: Major > > Embed jackson-databind:2.11.4 has security risk of Possible DoS if using JDK > serialization to serialize JsonNode > ([https://github.com/FasterXML/jackson-databind/issues/3328] ), upgrade to > 2.13.1 can fix this. -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (PARQUET-2127) Security risk in latest parquet-jackson-1.12.2.jar
[
https://issues.apache.org/jira/browse/PARQUET-2127?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17510088#comment-17510088
]
ASF GitHub Bot commented on PARQUET-2127:
-
trevorurquhart opened a new pull request #952:
URL: https://github.com/apache/parquet-mr/pull/952
### Jira
- [ ] My PR addresses the following [Parquet
Jira](https://issues.apache.org/jira/browse/PARQUET/) issues and references
them in the PR title.
- https://issues.apache.org/jira/browse/PARQUET-2127
- In case you are adding a dependency, check if the license complies with
the [ASF 3rd Party License
Policy](https://www.apache.org/legal/resolved.html#category-x).
### Tests
- [ ] Tests all pass with upgrade of jackson to 2.13.2
### Commits
- [ ] My commits all reference Jira issues in their subject lines. In
addition, my commits follow the guidelines from "[How to write a good git
commit message](http://chris.beams.io/posts/git-commit/)":
1. Subject is separated from body by a blank line
1. Subject is limited to 50 characters (not including Jira issue reference)
1. Subject does not end with a period
1. Subject uses the imperative mood ("add", not "adding")
1. Body wraps at 72 characters
1. Body explains "what" and "why", not "how"
### Documentation
- [ ] No new functionality
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: dev-unsubscr...@parquet.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Security risk in latest parquet-jackson-1.12.2.jar
> --
>
> Key: PARQUET-2127
> URL: https://issues.apache.org/jira/browse/PARQUET-2127
> Project: Parquet
> Issue Type: Improvement
>Reporter: phoebe chen
>Priority: Major
>
> Embed jackson-databind:2.11.4 has security risk of Possible DoS if using JDK
> serialization to serialize JsonNode
> ([https://github.com/FasterXML/jackson-databind/issues/3328] ), upgrade to
> 2.13.1 can fix this.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (PARQUET-2127) Security risk in latest parquet-jackson-1.12.2.jar
[ https://issues.apache.org/jira/browse/PARQUET-2127?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17494321#comment-17494321 ] Xinli Shang commented on PARQUET-2127: -- Thanks for reporting [~phoebemaomao]! Will you be able to come up with the fix? I will be happy to review and merge.. > Security risk in latest parquet-jackson-1.12.2.jar > -- > > Key: PARQUET-2127 > URL: https://issues.apache.org/jira/browse/PARQUET-2127 > Project: Parquet > Issue Type: Improvement >Reporter: phoebe chen >Priority: Major > > Embed jackson-databind:2.11.4 has security risk of Possible DoS if using JDK > serialization to serialize JsonNode > ([https://github.com/FasterXML/jackson-databind/issues/3328] ), upgrade to > 2.13.1 can fix this. -- This message was sent by Atlassian Jira (v8.20.1#820001)
