[jira] [Updated] (FLINK-21544) Upgrade Jackson databind version from 2.10.1 used in, at least, Flink Python jar

Tue, 02 Mar 2021 02:02:06 -0800 


     [ 
https://issues.apache.org/jira/browse/FLINK-21544?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Adam Roberts updated FLINK-21544:
---------------------------------
    Description: 
Hi everyone, in a similar manner to 
https://issues.apache.org/jira/browse/HADOOP-17555 I have done a Twistlock 
container scan and am looking at any dependencies we can upgrade to remediate 
any security issues that may be present.

 

One such contender is this: 


 "version": "2.10.1",
 "name": "com.fasterxml.jackson.core_jackson-databind",
 "path": "/opt/flink/opt/flink-python_2.11-1.11.3.jar"},}}

 

and so I'm wondering if we can upgrade this version to, say, 2.10.5.1, 2.12.1, 
or 2.11.4? Major bug because - surely CVEs in 2.10.1; it is quite old now as 
well (see 
[https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-core/2.10.1)]

 

  was:
Hi everyone, in a similar manner to 
https://issues.apache.org/jira/browse/HADOOP-17555 I have done a Twistlock 
container scan and am looking at any dependencies we can upgrade to remediate 
any security issues that may be present.

 

One such contender is this: 

{{    \{
                "version": "2.10.1",
                "name": "com.fasterxml.jackson.core_jackson-databind",
                "path": "/opt/flink/opt/flink-python_2.11-1.11.3.jar"},}}

{{}}

and so I'm wondering if we can upgrade this version to, say, 2.10.5.1, 2.12.1, 
or 2.11.4? Major bug because - surely CVEs in 2.10.1; it is quite old now as 
well (see 
[https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-core/2.10.1)]

{{}}


> Upgrade Jackson databind version from 2.10.1 used in, at least, Flink Python 
> jar
> --------------------------------------------------------------------------------
>
>                 Key: FLINK-21544
>                 URL: https://issues.apache.org/jira/browse/FLINK-21544
>             Project: Flink
>          Issue Type: Bug
>            Reporter: Adam Roberts
>            Priority: Major
>
> Hi everyone, in a similar manner to 
> https://issues.apache.org/jira/browse/HADOOP-17555 I have done a Twistlock 
> container scan and am looking at any dependencies we can upgrade to remediate 
> any security issues that may be present.
>  
> One such contender is this: 
>  "version": "2.10.1",
>  "name": "com.fasterxml.jackson.core_jackson-databind",
>  "path": "/opt/flink/opt/flink-python_2.11-1.11.3.jar"},}}
>  
> and so I'm wondering if we can upgrade this version to, say, 2.10.5.1, 
> 2.12.1, or 2.11.4? Major bug because - surely CVEs in 2.10.1; it is quite old 
> now as well (see 
> [https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-core/2.10.1)]
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to