spark-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sean Owen (JIRA)" <>
Subject [jira] [Updated] (SPARK-20433) Update jackson-databind to 2.6.7
Date Sat, 29 Jul 2017 06:55:00 GMT


Sean Owen updated SPARK-20433:
        Labels:   (was: security)
      Priority: Minor  (was: Major)
    Issue Type: Improvement  (was: Bug)
       Summary: Update jackson-databind to 2.6.7  (was: Security issue with jackson-databind)

OK, but that's not what this issue description says, and should be updated. A maintenance
release update sounds OK just to pick up bug fixes. I don't think it can be called a security
issue if there's no theory about how it could impact Spark.

> Update jackson-databind to 2.6.7
> --------------------------------
>                 Key: SPARK-20433
>                 URL:
>             Project: Spark
>          Issue Type: Improvement
>          Components: Spark Core
>    Affects Versions: 2.1.0
>            Reporter: Andrew Ash
>            Priority: Minor
> There was a security vulnerability recently reported to the upstream jackson-databind
project at which now has a fix released.
> From my reading of that, versions,, and 2.9.0.pr3 are the first fixed
versions in their respectful 2.X branches, and versions in the 2.6.X line and earlier remain
> Right now Spark master branch is on 2.6.5:
> and Hadoop branch-2.7 is on 2.2.3:
> and Hadoop branch-3.0.0-alpha2 is on 2.7.8:
> We should try to find to find a way to get on a patched version of jackson-bind for the
Spark 2.2.0 release.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message