Bump Jackson to 2.10.0

[Fokko]

This fixes some CVE's:

High severity vulnerability that affects com.fasterxml.jackson.core:jackson-databind
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

Affected versions: < 2.7.9.4

High severity vulnerability that affects com.fasterxml.jackson.core:jackson-databind
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

Affected versions: < 2.6.7.1

High severity vulnerability that affects com.fasterxml.jackson.core:jackson-databind
FasterXML jackson-databind before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

Affected versions: < 2.8.11.1

High severity vulnerability that affects com.fasterxml.jackson.core:jackson-databind
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

Affected versions: < 2.8.11

High severity vulnerability that affects com.fasterxml.jackson.core:jackson-databind
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.

Affected versions: < 2.8.11

[Fokko]

Curious how this ever worked. It is assigned to a SeekableStreamEndSequenceNumbers, but Jackson expects a SeekableStreamStartSequenceNumbers.

[Fokko]

Unnecessary cast

[Fokko]

We're already at Avatica 1.12.0, which is at Jackson 2.9.x: https://mvnrepository.com/artifact/org.apache.calcite.avatica/avatica-core/1.12.0

[Fokko]

Rebased against master

[gianm]

Jackson and Guava are two libraries that always seem to cause dependency nightmares in connection with Hadoop. I would want to test this out with various Hadoop distributions before pulling the trigger. I know it's a pain but we have been burned here before. Is there any chance you are willing to do some of these tests?

[Fokko]

I'm familiar with the pain of classpath issues in combination with Jackson, Guava etc. Currently, we don't run Druid with Hadoop, so I'm not able to test this easily. I can try to get something running in Docker, but this will take some time.

[leventov]

Related: #7152

[leventov]

Just leaving this comment to make it explicit the necessity of Hadoop tests and that no committer merges this PR without them.

[Fokko]

Rebased onto master, just to keep up with upstream

[stale]

This pull request has been marked as stale due to 60 days of inactivity. It will be closed in 4 weeks if no further activity occurs. If you think that's incorrect or this pull request should instead be reviewed, please simply write any comment. Even if closed, you can still revive the PR at any time or discuss it on the dev@druid.apache.org list. Thank you for your contributions.

[stale]

This pull request/issue is no longer marked as stale.

[Fokko]

Closing this one, this has been fixed on master.