CVE for dependency jackson-databind #5225
Milestone
Comments
This was referenced Feb 17, 2023
1 task
1 task
This was referenced Mar 16, 2023
Closed
1 task
This was referenced May 11, 2023
1 task
This was referenced Jun 1, 2023
This was referenced Jun 4, 2023
This was referenced Jun 15, 2023
This was referenced Jul 6, 2023
dongjoon-hyun
pushed a commit
to apache/spark
that referenced
this issue
Jul 6, 2023
### What changes were proposed in this pull request? The pr aims to upgrade Jersey from 2.36 to 2.40. ### Why are the changes needed? 1.This version adapts to ASM9.5, which is also used by Spark currently [Adopt ASM 9.5](eclipse-ee4j/jersey#5305) 2.Also fix some bugs, eg: [Fix possible NPE in netty client](eclipse-ee4j/jersey#5330) [Get media type fix](eclipse-ee4j/jersey#5282) 3.Security vulnerability fix: [CVE for dependency jackson-databind](eclipse-ee4j/jersey#5225) 4.Full Release Notes: https://github.com/eclipse-ee4j/jersey/releases/tag/2.40 https://github.com/eclipse-ee4j/jersey/releases/tag/2.39 https://github.com/eclipse-ee4j/jersey/releases/tag/2.38 https://github.com/eclipse-ee4j/jersey/releases/tag/2.37 ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? Pass GA. Closes #41874 from panbingkun/SPARK-44316. Authored-by: panbingkun <pbk1982@gmail.com> Signed-off-by: Dongjoon Hyun <dongjoon@apache.org>
a0x8o
added a commit
to a0x8o/spark
that referenced
this issue
Jul 6, 2023
### What changes were proposed in this pull request? The pr aims to upgrade Jersey from 2.36 to 2.40. ### Why are the changes needed? 1.This version adapts to ASM9.5, which is also used by Spark currently [Adopt ASM 9.5](eclipse-ee4j/jersey#5305) 2.Also fix some bugs, eg: [Fix possible NPE in netty client](eclipse-ee4j/jersey#5330) [Get media type fix](eclipse-ee4j/jersey#5282) 3.Security vulnerability fix: [CVE for dependency jackson-databind](eclipse-ee4j/jersey#5225) 4.Full Release Notes: https://github.com/eclipse-ee4j/jersey/releases/tag/2.40 https://github.com/eclipse-ee4j/jersey/releases/tag/2.39 https://github.com/eclipse-ee4j/jersey/releases/tag/2.38 https://github.com/eclipse-ee4j/jersey/releases/tag/2.37 ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? Pass GA. Closes #41874 from panbingkun/SPARK-44316. Authored-by: panbingkun <pbk1982@gmail.com> Signed-off-by: Dongjoon Hyun <dongjoon@apache.org>
This was referenced Aug 28, 2023
1 task
This was referenced Jan 16, 2024
1 task
ragnarok56
pushed a commit
to ragnarok56/spark
that referenced
this issue
Mar 2, 2024
### What changes were proposed in this pull request? The pr aims to upgrade Jersey from 2.36 to 2.40. ### Why are the changes needed? 1.This version adapts to ASM9.5, which is also used by Spark currently [Adopt ASM 9.5](eclipse-ee4j/jersey#5305) 2.Also fix some bugs, eg: [Fix possible NPE in netty client](eclipse-ee4j/jersey#5330) [Get media type fix](eclipse-ee4j/jersey#5282) 3.Security vulnerability fix: [CVE for dependency jackson-databind](eclipse-ee4j/jersey#5225) 4.Full Release Notes: https://github.com/eclipse-ee4j/jersey/releases/tag/2.40 https://github.com/eclipse-ee4j/jersey/releases/tag/2.39 https://github.com/eclipse-ee4j/jersey/releases/tag/2.38 https://github.com/eclipse-ee4j/jersey/releases/tag/2.37 ### Does this PR introduce _any_ user-facing change? No. ### How was this patch tested? Pass GA. Closes apache#41874 from panbingkun/SPARK-44316. Authored-by: panbingkun <pbk1982@gmail.com> Signed-off-by: Dongjoon Hyun <dongjoon@apache.org>
This was referenced Apr 13, 2024
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It looks like the current release has a dependency on a version of jackson-databind that's reporting a CVE:
https://mvnrepository.com/artifact/org.glassfish.jersey.media/jersey-media-json-jackson/3.1.0
We've worked around it via a Maven exclusion and import of the latest jackson-databind but want to report it. (A search didn't turn up any open issues, apologies if this is already known/reported.)
The text was updated successfully, but these errors were encountered: