Vulnerability Reported in jackson-databind 2.6

[randallwhitman]

An issue was filed today on Spatial Framework for Hadoop regarding a vulnerability in jackson-databind 2.6 version - Esri/spatial-framework-for-hadoop#146.
In order to use a new Jackson version, Spatial Framework needs the Geometry API to be compatible with a suitable newer version of Jackson.

[randallwhitman]

Information on the vulnerability says it is fixed in 2.6.7.1 and 2.8.9, among other versions of Jackson.

[stolstov]

@randallwhitman when making this change we also should remove DepFiles folder with the jar files from the repo.

[stolstov]

@randallwhitman Should we fix this as well for the next release?

[randallwhitman]

Yes, when we make a release, let's definitely include this.
The deployed version of Jackson would matter more than the compile-dependency version.
Nevertheless, we should use the patched versions for the dependency, which will show up in dependency lists/trees.
(what do you think should be the next release - v2.1 maybe?)

[stolstov]

@randallwhitman Please, review my pull request. As a warning, people who relied on ant build would have to copy the jars manually.

[stolstov]

@alocke Could you verify this?

[alocke]

Yes, I will.

[stolstov]

Thank you Annette!