Adam Roberts created FLINK-21544:
------------------------------------
Summary: Upgrade Jackson databind version from 2.10.1 used in, at least, Flink Python jar
Key: FLINK-21544
URL:
https://issues.apache.org/jira/browse/FLINK-21544 Project: Flink
Issue Type: Bug
Reporter: Adam Roberts
Hi everyone, in a similar manner to
https://issues.apache.org/jira/browse/HADOOP-17555 I have done a Twistlock container scan and am looking at any dependencies we can upgrade to remediate any security issues that may be present.
One such contender is this:
{{ \{
"version": "2.10.1",
"name": "com.fasterxml.jackson.core_jackson-databind",
"path": "/opt/flink/opt/flink-python_2.11-1.11.3.jar"},}}
{{}}
and so I'm wondering if we can upgrade this version to, say, 2.10.5.1, 2.12.1, or 2.11.4? Major bug because - surely CVEs in 2.10.1; it is quite old now as well (see [
https://mvnrepository.com/artifact/com.fasterxml.jackson.core/jackson-core/2.10.1)]
{{}}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
Locked
