hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sean Mackrory (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (HADOOP-15299) Bump Hadoop's Jackson 2 dependency 2.9.x
Date Wed, 14 Mar 2018 17:57:00 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-15299?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16398991#comment-16398991
] 

Sean Mackrory edited comment on HADOOP-15299 at 3/14/18 5:56 PM:
-----------------------------------------------------------------

Had forgotten to attach my patch. The changes in .001. are pretty minor, and basically what
I remember doing when I proposed moving to the 2.8.x (although we ended up going with 2.7,
which still addressed all the CVEs at the time). I've since run a bunch of tests on a cluster
including some Hive and Spark ones, so I'm fairly confident this isn't a major disruption.

 

 

{quote}I think we need to make sure that all client dependencies can be picked up shading\{quote}

 

I agree! Let's make it happen.


was (Author: mackrorysd):
Had forgotten to attach my patch. The changes in .001. are pretty minor, and basically what
I remember doing when I proposed moving to the 2.8.x (although we ended up going with 2.7,
which still addressed all the CVEs at the time). I've since run a bunch of tests on a cluster
including some Hive and Spark ones, so I'm fairly confident this isn't a major disruption.

{quote}I think we need to make sure that all client dependencies can be picked up shading\{quote}

I agree! Let's make it happen.

> Bump Hadoop's Jackson 2 dependency 2.9.x
> ----------------------------------------
>
>                 Key: HADOOP-15299
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15299
>             Project: Hadoop Common
>          Issue Type: Bug
>    Affects Versions: 3.1.0, 3.2.0
>            Reporter: Sean Mackrory
>            Assignee: Sean Mackrory
>            Priority: Major
>         Attachments: HADOOP-15299.001.patch
>
>
> There are a few new CVEs open against Jackson 2.7.x. It doesn't (necessarily) mean Hadoop
is vulnerable to the attack - I don't know that it is, but fixes were released for Jackson
2.8.x and 2.9.x but not 2.7.x (which we're on). We shouldn't be on an unmaintained line, regardless.
HBase is already on 2.9.x, we have a shaded client now, the API changes are relatively minor
and so far in my testing I haven't seen any problems. I think many of our usual reasons to
hesitate upgrading this dependency don't apply.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org


Mime
View raw message