Skip to content

[SPARK-29226][BUILD] Upgrade jackson-databind to 2.9.10 and fix vulnerabilities. #25912

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

[SPARK-29226][BUILD] Upgrade jackson-databind to 2.9.10 and fix vulnerabilities. #25912

wants to merge 2 commits into from

Conversation

@beliefer
Copy link
Contributor

@beliefer beliefer commented Sep 24, 2019
edited
Loading

What changes were proposed in this pull request?

The current code uses com.fasterxml.jackson.core:jackson-databind:jar:2.9.9.3 and it will cause a security vulnerabilities. We could get some security info from https://www.tenable.com/cve/CVE-2019-16335 and https://www.tenable.com/cve/CVE-2019-14540

This reference remind to upgrate the version of jackson-databind to 2.9.10 or later.

This PR also upgrade the version of jackson to 2.9.10.

Why are the changes needed?

This PR fix the security vulnerabilities.

Does this PR introduce any user-facing change?

No.

How was this patch tested?

Exists UT.

wangyum
wangyum reviewed Sep 24, 2019
View reviewed changes
@SparkQA
Copy link

SparkQA commented Sep 24, 2019

Test build #111271 has finished for PR 25912 at commit 35c447d.

  • This patch fails build dependency tests.
  • This patch merges cleanly.
  • This patch adds no public classes.

srowen
srowen reviewed Sep 24, 2019
View reviewed changes
Copy link
Member

@srowen srowen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep looks OK pending updating the manifest, and tests.

@dongjoon-hyun dongjoon-hyun changed the title [SPARK-29226][CORE] Upgrade jackson-databind to 2.9.10 and fix vulnerabilities. [SPARK-29226][BUILD] Upgrade jackson-databind to 2.9.10 and fix vulnerabilities. Sep 24, 2019
@dongjoon-hyun
Copy link
Member

Hi, @beliefer . I updated the PR title tag from [CORE] to [BUILD].

@SparkQA
Copy link

SparkQA commented Sep 25, 2019

Test build #111320 has finished for PR 25912 at commit 9cbd46f.

  • This patch passes all tests.
  • This patch merges cleanly.
  • This patch adds no public classes.

@dongjoon-hyun
Copy link
Member

Merged to master.

@beliefer
Copy link
Contributor Author

@dongjoon-hyun @srowen @wangyum Thanks for all your help.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@srowen srowen srowen left review comments

@wangyum wangyum wangyum left review comments

@dongjoon-hyun dongjoon-hyun dongjoon-hyun approved these changes

Assignees

No one assigned

Labels

BUILD

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@beliefer @SparkQA @dongjoon-hyun @srowen @wangyum