[jira] [Commented] (SPARK-32495) Update jackson-databind versions to fix various vulnerabilities.
[ https://issues.apache.org/jira/browse/SPARK-32495?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17169822#comment-17169822 ] Apache Spark commented on SPARK-32495: -- User 'ScrapCodes' has created a pull request for this issue: https://github.com/apache/spark/pull/29334 > Update jackson-databind versions to fix various vulnerabilities. > > > Key: SPARK-32495 > URL: https://issues.apache.org/jira/browse/SPARK-32495 > Project: Spark > Issue Type: Task > Components: Spark Core >Affects Versions: 2.4.6 >Reporter: SHOBHIT SHUKLA >Priority: Major > > As a vulnerability for Fasterxml Jackson version 2.6.7.3 is affected by > CVE-2017-15095 and CVE-2018-5968 CVEs > [https://nvd.nist.gov/vuln/detail/CVE-2018-5968], Would it be possible to > upgrade the jackson version for spark-2.4.6 and so on(2.4.x). -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Commented] (SPARK-32495) Update jackson-databind versions to fix various vulnerabilities.
[ https://issues.apache.org/jira/browse/SPARK-32495?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17169800#comment-17169800 ] Prashant Sharma commented on SPARK-32495: - In general, upgrading the version of a dependency can have a serious impact on the downstream users. In the above case, both of the times you have mentioned CVEs were found to be fixed in the version that spark currently depends on. It might be the advisories database is not updated with it, I have tried to ping the issues for fixing that. Personally, I feel the version 2.6.x is not maintained by jackson community, it might be affected by some security vulnerabilities that are not mentioned by you. As we continue to release 2.4.x line, in my opinion we should move to a maintained version of jackson. Therefore, I am going to make a PR and seek the community approval for the same. > Update jackson-databind versions to fix various vulnerabilities. > > > Key: SPARK-32495 > URL: https://issues.apache.org/jira/browse/SPARK-32495 > Project: Spark > Issue Type: Task > Components: Spark Core >Affects Versions: 2.4.6 >Reporter: SHOBHIT SHUKLA >Priority: Major > > As a vulnerability for Fasterxml Jackson version 2.6.7.3 is affected by > CVE-2017-15095 and CVE-2018-5968 CVEs > [https://nvd.nist.gov/vuln/detail/CVE-2018-5968], Would it be possible to > upgrade the jackson version for spark-2.4.6 and so on(2.4.x). -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Commented] (SPARK-32495) Update jackson-databind versions to fix various vulnerabilities.
[ https://issues.apache.org/jira/browse/SPARK-32495?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17169756#comment-17169756 ] Prashant Sharma commented on SPARK-32495: - As per the issues and commit: [https://github.com/FasterXML/jackson-databind/commit/a3939d36edcc755c8af55bdc1969e0fa8438f9db|backport-commit], It is interesting to note that fix to both of these CVEs did land in 2.6.7.3, 1. [https://github.com/FasterXML/jackson-databind/issues/1855] 2. [https://github.com/FasterXML/jackson-databind/issues/1899] And it happened in 2019, those advisories seem to indicate the opposite. > Update jackson-databind versions to fix various vulnerabilities. > > > Key: SPARK-32495 > URL: https://issues.apache.org/jira/browse/SPARK-32495 > Project: Spark > Issue Type: Task > Components: Spark Core >Affects Versions: 2.4.6 >Reporter: SHOBHIT SHUKLA >Priority: Major > > As a vulnerability for Fasterxml Jackson version 2.6.7.3 is affected by > CVE-2017-15095 and CVE-2018-5968 CVEs > [https://nvd.nist.gov/vuln/detail/CVE-2018-5968], Would it be possible to > upgrade the jackson version for spark-2.4.6 and so on(2.4.x). -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
