spark-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sean Owen (JIRA)" <>
Subject [jira] [Commented] (SPARK-20433) Security issue with jackson-databind
Date Fri, 21 Apr 2017 19:04:04 GMT


Sean Owen commented on SPARK-20433:

Do we know if it even affects Spark? It sounds like another instances of the commons-collections
issue that was already patched.

> Security issue with jackson-databind
> ------------------------------------
>                 Key: SPARK-20433
>                 URL:
>             Project: Spark
>          Issue Type: Bug
>          Components: Spark Core
>    Affects Versions: 2.1.0
>            Reporter: Andrew Ash
>            Priority: Critical
>              Labels: security
> There was a security vulnerability recently reported to the upstream jackson-databind
project at which now has a fix released.
> From my reading of that, versions,, and 2.9.0.pr3 are the first fixed
versions in their respectful 2.X branches, and versions in the 2.6.X line and earlier remain
> Right now Spark master branch is on 2.6.5:
> and Hadoop branch-2.7 is on 2.2.3:
> and Hadoop branch-3.0.0-alpha2 is on 2.7.8:
> We should try to find to find a way to get on a patched version of jackson-bind for the
Spark 2.2.0 release.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message