[
https://issues.apache.org/jira/browse/AVRO-1605?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16409861#comment-16409861
]
Mike Yoder commented on AVRO-1605:
----------------------------------
I wanted to chime in on this issue from a security perspective. The TL;DR is
that the use of jackson 1.x is dangerous.
* The last version of jackson 1.x was 1.9.13, and that was released 5 years
ago. The developers have moved to jackson 2.x and are no longer making patches
for jackson 1.x.
* A number of related security vulnerabilities have surfaced in jackson:
CVE-2017-7525, CVE-2017-15095, CVE-2017-17485 and CVE-2018-5968.
* In the wake of Equifax, many large organizations are taking the stance that
"thou shalt not use third party libraries with security vulnerabilities".
You can see where this takes us.
I don't really care what the solution is, but somehow Avro needs to move to
jackson 2.x. It would seem to me to be highly sensible to get jackson out of
the Avro public interface now in order for this sort of issue to not happen in
the future - but hey I'll take any solution I can get at this point.
> Remove Jackson classes from public API
> --------------------------------------
>
> Key: AVRO-1605
> URL: https://issues.apache.org/jira/browse/AVRO-1605
> Project: Avro
> Issue Type: Sub-task
> Components: java
> Affects Versions: 1.7.8
> Reporter: Tom White
> Assignee: Gabor Szadovszky
> Priority: Major
> Fix For: 1.9.0
>
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
