[jira] [Created] (HADOOP-15299) Bump Hadoop's Jackson 2 dependency 2.9.x

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[jira] [Created] (HADOOP-15299) Bump Hadoop's Jackson 2 dependency 2.9.x

JIRA jira@apache.org
Sean Mackrory created HADOOP-15299:
--------------------------------------

             Summary: Bump Hadoop's Jackson 2 dependency 2.9.x
                 Key: HADOOP-15299
                 URL: https://issues.apache.org/jira/browse/HADOOP-15299
             Project: Hadoop Common
          Issue Type: Bug
    Affects Versions: 3.1.0, 3.2.0
            Reporter: Sean Mackrory
            Assignee: Sean Mackrory


There are a few new CVEs open against Jackson 2.7.x. It doesn't (necessarily) mean Hadoop is vulnerable to the attack - I don't know that it is, but fixes were released for 2.8.x and 2.9.x but not 2.7.x (which we're on). We shouldn't be on an unmaintained line, regardless. HBase is already on 2.9.x, we have a shaded client now, the API changes are relatively minor and so far in my testing I haven't seen any problems. I think many of our usual reasons to hesitate upgrading this dependency don't apply.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]