You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@spark.apache.org by Rajesh Krishnamurthy <rk...@perforce.com> on 2022/02/11 22:16:55 UTC
Apache spark 3.0.3 [Spark lower version enhancements]
Hi there,
We are just wondering if there are any agenda by the Spark community to actively engage development activities on the 3.0.x path. I know we have the latest version of Spark with 3.2.x, but we are just wondering if any development plans to have the vulnerabilities fixed on the 3.0.x path that were identified on the 3.0.3 version, so that we don’t need to migrate to next major version(3.1.x in this case), but at the same time all the vulnerabilities fixed within the minor version upgrade(eg:3.0.x)
Rajesh Krishnamurthy | Enterprise Architect
T: +1 510-833-7189 | M: +1 925-917-9208
http://www.perforce.com
Visit us on: Twitter<https://nam12.safelinks.protection.outlook.com/?url=https://twitter.com/perforce&data=04%7C01%7Crkrishnamurthy@perforce.com%7C67639f41e2f0452b409608d96814840a%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637655259607389020%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=%7C1000&sdata=66YlLKPkoZeh1CyMFzjEG8eFva8EmsPSvRqUFtEf960=&reserved=0> | LinkedIn<https://nam12.safelinks.protection.outlook.com/?url=https://www.linkedin.com/company/perforce?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2019-common&utm_content=email-signature-link&data=04%7C01%7Crkrishnamurthy@perforce.com%7C785c930f82dc42cdee2b08d98e9b8d5d%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637697621028603583%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=%7C1000&sdata=03F8rlgn5xcYUU3pEkCe85X+Bs4q/WfHlXCne+MshaI=&reserved=0> | Facebook<https://nam12.safelinks.protection.outlook.com/?url=https://www.facebook.com/perforce/?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2019-common&utm_content=email-signature-link&data=04%7C01%7Crkrishnamurthy@perforce.com%7C785c930f82dc42cdee2b08d98e9b8d5d%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637697621028603583%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=%7C1000&sdata=Jlq031LQ06isyWhiwRQSrTiJnjEZzUc38nULB2yIt5w=&reserved=0>
This e-mail may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately.
Re: Apache spark 3.0.3 [Spark lower version enhancements]
Posted by Sean Owen <sr...@gmail.com>.
These kinds of static analysis have limited value to send around. It's not
clear whether any of the CVEs actually affect Spark's usage of the library.
jackson -- generally, yes could theoretically affect Spark apps.
I can't really read this output, but seems like the affected versions are
generally 2.9.x and lower, while Spark 3.0.3 uses 2.10.0, so I'm sort of
unclear what this is based on?
In any event, the best advice is to update Spark! If you're concerned about
3.0.3, which is EOL about now anyway, you should be updating to 3.2.
On Fri, Feb 18, 2022 at 11:36 AM Rajesh Krishnamurthy <
rkrishnamurthy@perforce.com> wrote:
> Hi Sean,
>
> Please find the list of vulnerabilities that we identified using trivy
> <https://github.com/aquasecurity/trivy> VA scanning tool on Spark 3.0.3
> version. Can you also please let us know the specific EOL date planed for
> 3.0.3 version?
>
>
> +---------------------------------------------+------------------+----------+--------------------+--------------------------------+---------------------------------------------------------------+
> | LIBRARY | VULNERABILITY ID |
> SEVERITY | INSTALLED VERSION | FIXED VERSION |
> TITLE |
>
> +---------------------------------------------+------------------+----------+--------------------+--------------------------------+---------------------------------------------------------------+
> | com.fasterxml.jackson.core:jackson-databind | CVE-2020-25649 | HIGH
> | 2.10.0 | 2.6.7.4, 2.9.10.7, 2.10.5.1 | jackson-databind:
> FasterXML |
> | | |
> | | | DOMDeserializer
> insecure |
> | | |
> | | | entity expansion
> is vulnerable |
> | | |
> | | | to XML external
> entity... |
> | | |
> | | | -->
> avd.aquasec.com/nvd/cve-2020-25649 |
> +
> +------------------+----------+--------------------+--------------------------------+---------------------------------------------------------------+
> | | CVE-2017-15095 |
> CRITICAL | 2.2.3 | 2.7.9.2, 2.8.10, 2.9.1 |
> jackson-databind: Unsafe |
> | | |
> | | | deserialization
> due to |
> | | |
> | | | incomplete black
> list (incomplete |
> | | |
> | | | fix for
> CVE-2017-7525)... |
> | | |
> | | | -->
> avd.aquasec.com/nvd/cve-2017-15095 |
> + +------------------+
> +
> +--------------------------------+---------------------------------------------------------------+
> | | CVE-2018-11307 |
> | | 2.7.9.4, 2.8.11.2, 2.9.6 | jackson-databind:
> Potential |
> | | |
> | | | information
> exfiltration with |
> | | |
> | | | default typing,
> serialization |
> | | |
> | | | gadget from
> MyBatis |
> | | |
> | | | -->
> avd.aquasec.com/nvd/cve-2018-11307 |
> + +------------------+
> +
> +--------------------------------+---------------------------------------------------------------+
> | | CVE-2018-14718 |
> | | 2.6.7.2, 2.9.7 | jackson-databind:
> arbitrary code |
> | | |
> | | | execution in
> slf4j-ext class |
> | | |
> | | | -->
> avd.aquasec.com/nvd/cve-2018-14718 |
> + +------------------+
> +
> +--------------------------------+---------------------------------------------------------------+
> | | CVE-2018-7489 |
> | | 2.7.9.3, 2.8.11.1, 2.9.5 | jackson-databind:
> incomplete fix |
> | | |
> | | | for CVE-2017-7525
> permits unsafe |
> | | |
> | | | serialization via
> c3p0 libraries |
> | | |
> | | | -->
> avd.aquasec.com/nvd/cve-2018-7489 |
> + +------------------+
> +
> +--------------------------------+---------------------------------------------------------------+
> | | CVE-2019-14540 |
> | | 2.9.10 | jackson-databind:
> |
> | | |
> | | | Serialization
> gadgets in |
> | | |
> | | |
> com.zaxxer.hikari.HikariConfig |
> | | |
> | | | -->
> avd.aquasec.com/nvd/cve-2019-14540 |
> + +------------------+
> +
> +--------------------------------+---------------------------------------------------------------+
> | | CVE-2019-14893 |
> | | 2.8.11.5, 2.9.10 | jackson-databind:
> |
> | | |
> | | | Serialization
> gadgets in |
> | | |
> | | | classes of the
> xalan package |
> | | |
> | | | -->
> avd.aquasec.com/nvd/cve-2019-14893 |
> + +------------------+
> +
> +--------------------------------+---------------------------------------------------------------+
> | | CVE-2019-16335 |
> | | 2.9.10 | jackson-databind:
> |
> | | |
> | | | Serialization
> gadgets in |
> | | |
> | | |
> com.zaxxer.hikari.HikariDataSource |
> | | |
> | | | -->
> avd.aquasec.com/nvd/cve-2019-16335 |
> + +------------------+
> +
> +--------------------------------+---------------------------------------------------------------+
> | | CVE-2019-16942 |
> | | 2.9.10.1 | jackson-databind:
> |
> | | |
> | | | Serialization
> gadgets in |
> | | |
> | | |
> org.apache.commons.dbcp.datasources.* |
> | | |
> | | | -->
> avd.aquasec.com/nvd/cve-2019-16942 |
> + +------------------+
> + +
> +---------------------------------------------------------------+
> | | CVE-2019-16943 |
> | | | jackson-databind:
> |
> | | |
> | | | Serialization
> gadgets in |
> | | |
> | | |
> com.p6spy.engine.spy.P6DataSource |
> | | |
> | | | -->
> avd.aquasec.com/nvd/cve-2019-16943 |
> + +------------------+
> +
> +--------------------------------+---------------------------------------------------------------+
> | | CVE-2019-17267 |
> | | 2.9.10 | jackson-databind:
> Serialization |
> | | |
> | | | gadgets in classes
> of |
> | | |
> | | | the ehcache
> package |
> | | |
> | | | -->
> avd.aquasec.com/nvd/cve-2019-17267 |
> + +------------------+
> +
> +--------------------------------+---------------------------------------------------------------+
> | | CVE-2019-17531 |
> | | 2.9.10.1 | jackson-databind:
> |
> | | |
> | | | Serialization
> gadgets in |
> | | |
> | | |
> org.apache.log4j.receivers.db.* |
> | | |
> | | | -->
> avd.aquasec.com/nvd/cve-2019-17531 |
> + +------------------+
> +
> +--------------------------------+---------------------------------------------------------------+
> | | CVE-2019-20330 |
> | | 2.8.11.5, 2.9.10.2 | jackson-databind:
> lacks |
> | | |
> | | | certain
> net.sf.ehcache blocking |
> | | |
> | | | -->
> avd.aquasec.com/nvd/cve-2019-20330 |
> +
> +------------------+----------+
> +--------------------------------+---------------------------------------------------------------+
> | | CVE-2018-5968 | HIGH
> | | 2.7.9.5, 2.8.11.1, 2.9.4 | jackson-databind:
> unsafe |
> | | |
> | | | deserialization
> due to incomplete |
> | | |
> | | | blacklist
> (incomplete fix |
> | | |
> | | | for CVE-2017-7525
> and... |
> | | |
> | | | -->
> avd.aquasec.com/nvd/cve-2018-5968 |
> + +------------------+
> +
> +--------------------------------+---------------------------------------------------------------+
> | | CVE-2020-35490 |
> | | 2.9.10.8 | jackson-databind:
> mishandles the interaction |
> | | |
> | | | between
> serialization gadgets and typing, related to |
> | | |
> | | |
> org.apache.commons.dbcp2.datasources.PerUserPoolDataSource... |
> | | |
> | | | -->
> avd.aquasec.com/nvd/cve-2020-35490 |
> + +------------------+
> + +
> +---------------------------------------------------------------+
> | | CVE-2020-35491 |
> | | | jackson-databind:
> mishandles the interaction |
> | | |
> | | | between
> serialization gadgets and typing, related to |
> | | |
> | | |
> org.apache.commons.dbcp2.datasources.SharedPoolDataSource... |
> | | |
> | | | -->
> avd.aquasec.com/nvd/cve-2020-35491 |
> +
> +------------------+----------+
> +--------------------------------+---------------------------------------------------------------+
> | | CVE-2018-1000873 | MEDIUM
> | | 2.9.8 |
> jackson-modules-java8: DoS due |
> | | |
> | | | to an Improper
> Input Validation |
> | | |
> | | | -->
> avd.aquasec.com/nvd/cve-2018-1000873 |
> +
> +------------------+----------+--------------------+--------------------------------+---------------------------------------------------------------+
> | | CVE-2017-15095 |
> CRITICAL | 2.4.0 | 2.7.9.2, 2.8.10, 2.9.1 |
> jackson-databind: Unsafe |
> | | |
> | | | deserialization
> due to |
> | | |
> | | | incomplete black
> list (incomplete |
> | | |
> | | | fix for
> CVE-2017-7525)... |
> | | |
> | | | -->
> avd.aquasec.com/nvd/cve-2017-15095 |
> + +------------------+
> +
> +--------------------------------+---------------------------------------------------------------+
> | | CVE-2018-11307 |
> | | 2.7.9.4, 2.8.11.2, 2.9.6 | jackson-databind:
> Potential |
> | | |
> | | | information
> exfiltration with |
> | | |
> | | | default typing,
> serialization |
> | | |
> | | | gadget from
> MyBatis |
> | | |
> | | | -->
> avd.aquasec.com/nvd/cve-2018-11307 |
> + +------------------+
> +
> +--------------------------------+---------------------------------------------------------------+
> | | CVE-2018-14718 |
> | | 2.6.7.2, 2.9.7 | jackson-databind:
> arbitrary code |
> | | |
> | | | execution in
> slf4j-ext class |
> | | |
> | | | -->
> avd.aquasec.com/nvd/cve-2018-14718 |
> + +------------------+
> +
> +--------------------------------+---------------------------------------------------------------+
> | | CVE-2018-7489 |
> | | 2.7.9.3, 2.8.11.1, 2.9.5 | jackson-databind:
> incomplete fix |
> | | |
> | | | for CVE-2017-7525
> permits unsafe |
> | | |
> | | | serialization via
> c3p0 libraries |
> | | |
> | | | -->
> avd.aquasec.com/nvd/cve-2018-7489 |
> + +------------------+
> +
> +--------------------------------+---------------------------------------------------------------+
> | | CVE-2019-14540 |
> | | 2.9.10 | jackson-databind:
> |
> | | |
> | | | Serialization
> gadgets in |
> | | |
> | | |
> com.zaxxer.hikari.HikariConfig |
> | | |
> | | | -->
> avd.aquasec.com/nvd/cve-2019-14540 |
> + +------------------+
> +
> +--------------------------------+---------------------------------------------------------------+
> | | CVE-2019-14893 |
> | | 2.8.11.5, 2.9.10 | jackson-databind:
> |
> | | |
> | | | Serialization
> gadgets in |
> | | |
> | | | classes of the
> xalan package |
> | | |
> | | | -->
> avd.aquasec.com/nvd/cve-2019-14893 |
> + +------------------+
> +
> +--------------------------------+---------------------------------------------------------------+
> | | CVE-2019-16335 |
> | | 2.9.10 | jackson-databind:
> |
> | | |
> | | | Serialization
> gadgets in |
> | | |
> | | |
> com.zaxxer.hikari.HikariDataSource |
> | | |
> | | | -->
> avd.aquasec.com/nvd/cve-2019-16335 |
> + +------------------+
> +
> +--------------------------------+---------------------------------------------------------------+
> | | CVE-2019-16942 |
> | | 2.9.10.1 | jackson-databind:
> |
> | | |
> | | | Serialization
> gadgets in |
> | | |
> | | |
> org.apache.commons.dbcp.datasources.* |
> | | |
> | | | -->
> avd.aquasec.com/nvd/cve-2019-16942 |
> + +------------------+
> + +
> +---------------------------------------------------------------+
> | | CVE-2019-16943 |
> | | | jackson-databind:
> |
> | | |
> | | | Serialization
> gadgets in |
> | | |
> | | |
> com.p6spy.engine.spy.P6DataSource |
> | | |
> | | | -->
> avd.aquasec.com/nvd/cve-2019-16943 |
> + +------------------+
> +
> +--------------------------------+---------------------------------------------------------------+
> | | CVE-2019-17267 |
> | | 2.9.10 | jackson-databind:
> Serialization |
> | | |
> | | | gadgets in classes
> of |
> | | |
> | | | the ehcache
> package |
> | | |
> | | | -->
> avd.aquasec.com/nvd/cve-2019-17267 |
> + +------------------+
> +
> +--------------------------------+---------------------------------------------------------------+
> | | CVE-2019-17531 |
> | | 2.9.10.1 | jackson-databind:
> |
> | | |
> | | | Serialization
> gadgets in |
> | | |
> | | |
> org.apache.log4j.receivers.db.* |
> | | |
> | | | -->
> avd.aquasec.com/nvd/cve-2019-17531 |
> + +------------------+
> +
> +--------------------------------+---------------------------------------------------------------+
> | | CVE-2019-20330 |
> | | 2.8.11.5, 2.9.10.2 | jackson-databind:
> lacks |
> | | |
> | | | certain
> net.sf.ehcache blocking |
> | | |
> | | | -->
> avd.aquasec.com/nvd/cve-2019-20330 |
> +
> +------------------+----------+
> +--------------------------------+---------------------------------------------------------------+
> | | CVE-2018-5968 | HIGH
> | | 2.7.9.5, 2.8.11.1, 2.9.4 | jackson-databind:
> unsafe |
> | | |
> | | | deserialization
> due to incomplete |
> | | |
> | | | blacklist
> (incomplete fix |
> | | |
> | | | for CVE-2017-7525
> and... |
> | | |
> | | | -->
> avd.aquasec.com/nvd/cve-2018-5968 |
> + +------------------+
> +
> +--------------------------------+---------------------------------------------------------------+
> | | CVE-2020-35490 |
> | | 2.9.10.8 | jackson-databind:
> mishandles the interaction |
> | | |
> | | | between
> serialization gadgets and typing, related to |
> | | |
> | | |
> org.apache.commons.dbcp2.datasources.PerUserPoolDataSource... |
> | | |
> | | | -->
> avd.aquasec.com/nvd/cve-2020-35490 |
> + +------------------+
> + +
> +---------------------------------------------------------------+
> | | CVE-2020-35491 |
> | | | jackson-databind:
> mishandles the interaction |
> | | |
> | | | between
> serialization gadgets and typing, related to |
> | | |
> | | |
> org.apache.commons.dbcp2.datasources.SharedPoolDataSource... |
> | | |
> | | | -->
> avd.aquasec.com/nvd/cve-2020-35491 |
> +
> +------------------+----------+
> +--------------------------------+---------------------------------------------------------------+
> | | CVE-2018-1000873 | MEDIUM
> | | 2.9.8 |
> jackson-modules-java8: DoS due |
> | | |
> | | | to an Improper
> Input Validation |
> | | |
> | | | -->
> avd.aquasec.com/nvd/cve-2018-1000873 |
> +---------------------------------------------+------------------+
> +--------------------+--------------------------------+---------------------------------------------------------------+
>
>
> Rajesh Krishnamurthy | Enterprise Architect
> T: +1 510-833-7189 | M: +1 925-917-9208
> http://www.perforce.com
> Visit us on: Twitter
> <https://nam12.safelinks.protection.outlook.com/?url=https://twitter.com/perforce&data=04%7C01%7Crkrishnamurthy@perforce.com%7C67639f41e2f0452b409608d96814840a%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637655259607389020%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=%7C1000&sdata=66YlLKPkoZeh1CyMFzjEG8eFva8EmsPSvRqUFtEf960=&reserved=0>
> | LinkedIn
> <https://nam12.safelinks.protection.outlook.com/?url=https://www.linkedin.com/company/perforce?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2019-common&utm_content=email-signature-link&data=04%7C01%7Crkrishnamurthy@perforce.com%7C785c930f82dc42cdee2b08d98e9b8d5d%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637697621028603583%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=%7C1000&sdata=03F8rlgn5xcYUU3pEkCe85X+Bs4q/WfHlXCne+MshaI=&reserved=0>
> | Facebook
> <https://nam12.safelinks.protection.outlook.com/?url=https://www.facebook.com/perforce/?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2019-common&utm_content=email-signature-link&data=04%7C01%7Crkrishnamurthy@perforce.com%7C785c930f82dc42cdee2b08d98e9b8d5d%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637697621028603583%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=%7C1000&sdata=Jlq031LQ06isyWhiwRQSrTiJnjEZzUc38nULB2yIt5w=&reserved=0>
>
> On Feb 15, 2022, at 11:00 AM, Sean Owen <sr...@gmail.com> wrote:
>
> I think these are readily answerable if you look at the text of the CVEs
> and Spark 3.0.3 release.
>
> https://nvd.nist.gov/vuln/detail/CVE-2019-17531
> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE-2019-17531&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C522583f2a30a4fc5f2b208d9f0b57ad6%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637805484557955352%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=DFkFTOj2wi6wUWuphc1UTKIH5%2FZWlacRwXrUwOTTxC8%3D&reserved=0>
> concerns Jackson Databind up to 2.9.10, but you can see that 3.0.3 uses
> 2.10.0
> https://nvd.nist.gov/vuln/detail/CVE-2020-9480
> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE-2020-9480&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C522583f2a30a4fc5f2b208d9f0b57ad6%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637805484557955352%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=zm8sdTWK5ElbuUVaxR9YU6GHsUktwve%2BFFJ%2FtSfhXrk%3D&reserved=0>
> affects Spark 2.x, not 3.x
> https://nvd.nist.gov/vuln/detail/CVE-2019-0204
> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnvd.nist.gov%2Fvuln%2Fdetail%2FCVE-2019-0204&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C522583f2a30a4fc5f2b208d9f0b57ad6%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637805484557955352%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=SitP6ks1br69ag37IwHO%2FhPFrlecU1cYRzCL7VtOI%2Bc%3D&reserved=0>
> does not appear related to Spark
>
> On Tue, Feb 15, 2022 at 12:40 PM Rajesh Krishnamurthy <
> rkrishnamurthy@perforce.com> wrote:
>
>> Hi Sean,
>>
>> I am looking for fixing the vulnerabilities such as these in the 3.0.X
>> branch.
>>
>> 1)
>> CVE-2019-17531
>> 2)CVE-2020-9480
>> 3)CVE-2019-0204
>>
>>
>> Rajesh Krishnamurthy | Enterprise Architect
>> T: +1 510-833-7189 | M: +1 925-917-9208
>> http://www.perforce.com
>> Visit us on: Twitter
>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fperforce&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C522583f2a30a4fc5f2b208d9f0b57ad6%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637805484557955352%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=FMZb8bkbnxpR%2BmZxuyzGcELq4lbZfJAGs4tEJKKacdA%3D&reserved=0>
>> | LinkedIn
>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fperforce%3Futm_leadsource%3Demail-signature&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C522583f2a30a4fc5f2b208d9f0b57ad6%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637805484557955352%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=OQTGeBW%2BdgPpdIne2k0MtH1haWzoTl08V0ehpsxKM3A%3D&reserved=0>
>> | Facebook
>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2Fperforce%2F%3Futm_leadsource%3Demail-signature&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C522583f2a30a4fc5f2b208d9f0b57ad6%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637805484557955352%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=fjXWLbLkE0I6OGNcMHWhYttqeCaUtOhxMJVrIAVYQr4%3D&reserved=0>
>>
>> On Feb 14, 2022, at 1:52 PM, Sean Owen <sr...@gmail.com> wrote:
>>
>> What vulnerabilities are you referring to? I'm not aware of any critical
>> outstanding issues, but not sure what you have in mind either.
>> See https://spark.apache.org/versioning-policy.html
>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fspark.apache.org%2Fversioning-policy.html&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C522583f2a30a4fc5f2b208d9f0b57ad6%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637805484557955352%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=sjHitTI8rpK1fRpV2i%2B1CJuJsHxg1wT7hRcQ%2BMjoZbQ%3D&reserved=0>
>> - 3.0.x is EOL about now, which doesn't mean there can't be another
>> release, but would not generally expect one.
>>
>> On Mon, Feb 14, 2022 at 3:48 PM Rajesh Krishnamurthy <
>> rkrishnamurthy@perforce.com> wrote:
>>
>>> Hi Sean,
>>>
>>> Thanks for the response. Does the community have any plans of fixing
>>> any vulnerabilities that have been identified in the 3.0.3 version? Do you
>>> have any fixed date that 3.0.x is going to be EOL?
>>>
>>>
>>>
>>> Rajesh Krishnamurthy | Enterprise Architect
>>> T: +1 510-833-7189 | M: +1 925-917-9208
>>> http://www.perforce.com
>>> Visit us on: Twitter
>>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fperforce&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C522583f2a30a4fc5f2b208d9f0b57ad6%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637805484557955352%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=FMZb8bkbnxpR%2BmZxuyzGcELq4lbZfJAGs4tEJKKacdA%3D&reserved=0>
>>> | LinkedIn
>>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fperforce%3Futm_leadsource%3Demail-signature&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C522583f2a30a4fc5f2b208d9f0b57ad6%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637805484557955352%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=OQTGeBW%2BdgPpdIne2k0MtH1haWzoTl08V0ehpsxKM3A%3D&reserved=0>
>>> | Facebook
>>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2Fperforce%2F%3Futm_leadsource%3Demail-signature&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C522583f2a30a4fc5f2b208d9f0b57ad6%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637805484557955352%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=fjXWLbLkE0I6OGNcMHWhYttqeCaUtOhxMJVrIAVYQr4%3D&reserved=0>
>>>
>>> On Feb 11, 2022, at 3:09 PM, Sean Owen <sr...@gmail.com> wrote:
>>>
>>> 3.0.x is about EOL now, and I hadn't heard anyone come forward to push a
>>> final maintenance release. Is there a specific issue you're concerned about?
>>>
>>> On Fri, Feb 11, 2022 at 4:24 PM Rajesh Krishnamurthy <
>>> rkrishnamurthy@perforce.com> wrote:
>>>
>>>> Hi there,
>>>>
>>>> We are just wondering if there are any agenda by the Spark community
>>>> to actively engage development activities on the 3.0.x path. I know we have
>>>> the latest version of Spark with 3.2.x, but we are just wondering if any
>>>> development plans to have the vulnerabilities fixed on the 3.0.x path that
>>>> were identified on the 3.0.3 version, so that we don’t need to migrate to
>>>> next major version(3.1.x in this case), but at the same time all the
>>>> vulnerabilities fixed within the minor version upgrade(eg:3.0.x)
>>>>
>>>>
>>>> Rajesh Krishnamurthy | Enterprise Architect
>>>> T: +1 510-833-7189 | M: +1 925-917-9208
>>>> http://www.perforce.com
>>>> Visit us on: Twitter
>>>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fperforce&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C522583f2a30a4fc5f2b208d9f0b57ad6%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637805484557955352%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=FMZb8bkbnxpR%2BmZxuyzGcELq4lbZfJAGs4tEJKKacdA%3D&reserved=0>
>>>> | LinkedIn
>>>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fperforce%3Futm_leadsource%3Demail-signature&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C522583f2a30a4fc5f2b208d9f0b57ad6%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637805484557955352%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=OQTGeBW%2BdgPpdIne2k0MtH1haWzoTl08V0ehpsxKM3A%3D&reserved=0>
>>>> | Facebook
>>>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2Fperforce%2F%3Futm_leadsource%3Demail-signature&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C522583f2a30a4fc5f2b208d9f0b57ad6%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637805484557955352%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=fjXWLbLkE0I6OGNcMHWhYttqeCaUtOhxMJVrIAVYQr4%3D&reserved=0>
>>>>
>>>>
>>>> This e-mail may contain information that is privileged or confidential.
>>>> If you are not the intended recipient, please delete the e-mail and any
>>>> attachments and notify us immediately.
>>>>
>>>>
>>>
>>> *CAUTION:* This email originated from outside of the organization. Do
>>> not click on links or open attachments unless you recognize the sender and
>>> know the content is safe.
>>>
>>>
>>>
>>> This e-mail may contain information that is privileged or confidential.
>>> If you are not the intended recipient, please delete the e-mail and any
>>> attachments and notify us immediately.
>>>
>>>
>>
>> *CAUTION:* This email originated from outside of the organization. Do
>> not click on links or open attachments unless you recognize the sender and
>> know the content is safe.
>>
>>
>>
>> This e-mail may contain information that is privileged or confidential.
>> If you are not the intended recipient, please delete the e-mail and any
>> attachments and notify us immediately.
>>
>>
>
> *CAUTION:* This email originated from outside of the organization. Do not
> click on links or open attachments unless you recognize the sender and know
> the content is safe.
>
>
>
> This e-mail may contain information that is privileged or confidential. If
> you are not the intended recipient, please delete the e-mail and any
> attachments and notify us immediately.
>
>
Re: Apache spark 3.0.3 [Spark lower version enhancements]
Posted by Sean Owen <sr...@gmail.com>.
I think these are readily answerable if you look at the text of the CVEs
and Spark 3.0.3 release.
https://nvd.nist.gov/vuln/detail/CVE-2019-17531 concerns Jackson Databind
up to 2.9.10, but you can see that 3.0.3 uses 2.10.0
https://nvd.nist.gov/vuln/detail/CVE-2020-9480 affects Spark 2.x, not 3.x
https://nvd.nist.gov/vuln/detail/CVE-2019-0204 does not appear related to
Spark
On Tue, Feb 15, 2022 at 12:40 PM Rajesh Krishnamurthy <
rkrishnamurthy@perforce.com> wrote:
> Hi Sean,
>
> I am looking for fixing the vulnerabilities such as these in the 3.0.X
> branch.
>
> 1)
> CVE-2019-17531
> 2)CVE-2020-9480
> 3)CVE-2019-0204
>
>
> Rajesh Krishnamurthy | Enterprise Architect
> T: +1 510-833-7189 | M: +1 925-917-9208
> http://www.perforce.com
> Visit us on: Twitter
> <https://nam12.safelinks.protection.outlook.com/?url=https://twitter.com/perforce&data=04%7C01%7Crkrishnamurthy@perforce.com%7C67639f41e2f0452b409608d96814840a%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637655259607389020%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=%7C1000&sdata=66YlLKPkoZeh1CyMFzjEG8eFva8EmsPSvRqUFtEf960=&reserved=0>
> | LinkedIn
> <https://nam12.safelinks.protection.outlook.com/?url=https://www.linkedin.com/company/perforce?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2019-common&utm_content=email-signature-link&data=04%7C01%7Crkrishnamurthy@perforce.com%7C785c930f82dc42cdee2b08d98e9b8d5d%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637697621028603583%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=%7C1000&sdata=03F8rlgn5xcYUU3pEkCe85X+Bs4q/WfHlXCne+MshaI=&reserved=0>
> | Facebook
> <https://nam12.safelinks.protection.outlook.com/?url=https://www.facebook.com/perforce/?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2019-common&utm_content=email-signature-link&data=04%7C01%7Crkrishnamurthy@perforce.com%7C785c930f82dc42cdee2b08d98e9b8d5d%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637697621028603583%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=%7C1000&sdata=Jlq031LQ06isyWhiwRQSrTiJnjEZzUc38nULB2yIt5w=&reserved=0>
>
> On Feb 14, 2022, at 1:52 PM, Sean Owen <sr...@gmail.com> wrote:
>
> What vulnerabilities are you referring to? I'm not aware of any critical
> outstanding issues, but not sure what you have in mind either.
> See https://spark.apache.org/versioning-policy.html
> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fspark.apache.org%2Fversioning-policy.html&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C76e603a3a65f4995de7608d9f0044ec4%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637804723570591827%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=hFpqIT9rnZhmvSIgWQkqx5SsppiZ61CYgJzfKyYzGy4%3D&reserved=0>
> - 3.0.x is EOL about now, which doesn't mean there can't be another
> release, but would not generally expect one.
>
> On Mon, Feb 14, 2022 at 3:48 PM Rajesh Krishnamurthy <
> rkrishnamurthy@perforce.com> wrote:
>
>> Hi Sean,
>>
>> Thanks for the response. Does the community have any plans of fixing
>> any vulnerabilities that have been identified in the 3.0.3 version? Do you
>> have any fixed date that 3.0.x is going to be EOL?
>>
>>
>>
>> Rajesh Krishnamurthy | Enterprise Architect
>> T: +1 510-833-7189 | M: +1 925-917-9208
>> http://www.perforce.com
>> Visit us on: Twitter
>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fperforce&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C76e603a3a65f4995de7608d9f0044ec4%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637804723570591827%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=JfbqWgdPMLqKTi4R30jFCejBtjbNj%2B%2F4paZz87SRxNI%3D&reserved=0>
>> | LinkedIn
>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fperforce%3Futm_leadsource%3Demail-signature&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C76e603a3a65f4995de7608d9f0044ec4%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637804723570591827%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=nknKNJ6Zn%2Bh2WkC2IJ3nS2fkjKBJRMBqX3Sn7XeU%2FJg%3D&reserved=0>
>> | Facebook
>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2Fperforce%2F%3Futm_leadsource%3Demail-signature&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C76e603a3a65f4995de7608d9f0044ec4%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637804723570591827%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=kkWBd7OMHaH6zpo2p6D2TFtj%2FjzrUMmHvthrWgKrvXg%3D&reserved=0>
>>
>> On Feb 11, 2022, at 3:09 PM, Sean Owen <sr...@gmail.com> wrote:
>>
>> 3.0.x is about EOL now, and I hadn't heard anyone come forward to push a
>> final maintenance release. Is there a specific issue you're concerned about?
>>
>> On Fri, Feb 11, 2022 at 4:24 PM Rajesh Krishnamurthy <
>> rkrishnamurthy@perforce.com> wrote:
>>
>>> Hi there,
>>>
>>> We are just wondering if there are any agenda by the Spark community
>>> to actively engage development activities on the 3.0.x path. I know we have
>>> the latest version of Spark with 3.2.x, but we are just wondering if any
>>> development plans to have the vulnerabilities fixed on the 3.0.x path that
>>> were identified on the 3.0.3 version, so that we don’t need to migrate to
>>> next major version(3.1.x in this case), but at the same time all the
>>> vulnerabilities fixed within the minor version upgrade(eg:3.0.x)
>>>
>>>
>>> Rajesh Krishnamurthy | Enterprise Architect
>>> T: +1 510-833-7189 | M: +1 925-917-9208
>>> http://www.perforce.com
>>> Visit us on: Twitter
>>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fperforce&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C76e603a3a65f4995de7608d9f0044ec4%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637804723570591827%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=JfbqWgdPMLqKTi4R30jFCejBtjbNj%2B%2F4paZz87SRxNI%3D&reserved=0>
>>> | LinkedIn
>>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fperforce%3Futm_leadsource%3Demail-signature&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C76e603a3a65f4995de7608d9f0044ec4%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637804723570591827%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=nknKNJ6Zn%2Bh2WkC2IJ3nS2fkjKBJRMBqX3Sn7XeU%2FJg%3D&reserved=0>
>>> | Facebook
>>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2Fperforce%2F%3Futm_leadsource%3Demail-signature&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C76e603a3a65f4995de7608d9f0044ec4%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637804723570591827%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=kkWBd7OMHaH6zpo2p6D2TFtj%2FjzrUMmHvthrWgKrvXg%3D&reserved=0>
>>>
>>>
>>> This e-mail may contain information that is privileged or confidential.
>>> If you are not the intended recipient, please delete the e-mail and any
>>> attachments and notify us immediately.
>>>
>>>
>>
>> *CAUTION:* This email originated from outside of the organization. Do
>> not click on links or open attachments unless you recognize the sender and
>> know the content is safe.
>>
>>
>>
>> This e-mail may contain information that is privileged or confidential.
>> If you are not the intended recipient, please delete the e-mail and any
>> attachments and notify us immediately.
>>
>>
>
> *CAUTION:* This email originated from outside of the organization. Do not
> click on links or open attachments unless you recognize the sender and know
> the content is safe.
>
>
>
> This e-mail may contain information that is privileged or confidential. If
> you are not the intended recipient, please delete the e-mail and any
> attachments and notify us immediately.
>
>
Re: Apache spark 3.0.3 [Spark lower version enhancements]
Posted by Rajesh Krishnamurthy <rk...@perforce.com>.
Hi Sean,
I am looking for fixing the vulnerabilities such as these in the 3.0.X branch.
1)
CVE-2019-17531
2)CVE-2020-9480
3)CVE-2019-0204
Rajesh Krishnamurthy | Enterprise Architect
T: +1 510-833-7189 | M: +1 925-917-9208
http://www.perforce.com
Visit us on: Twitter<https://nam12.safelinks.protection.outlook.com/?url=https://twitter.com/perforce&data=04%7C01%7Crkrishnamurthy@perforce.com%7C67639f41e2f0452b409608d96814840a%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637655259607389020%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=%7C1000&sdata=66YlLKPkoZeh1CyMFzjEG8eFva8EmsPSvRqUFtEf960=&reserved=0> | LinkedIn<https://nam12.safelinks.protection.outlook.com/?url=https://www.linkedin.com/company/perforce?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2019-common&utm_content=email-signature-link&data=04%7C01%7Crkrishnamurthy@perforce.com%7C785c930f82dc42cdee2b08d98e9b8d5d%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637697621028603583%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=%7C1000&sdata=03F8rlgn5xcYUU3pEkCe85X+Bs4q/WfHlXCne+MshaI=&reserved=0> | Facebook<https://nam12.safelinks.protection.outlook.com/?url=https://www.facebook.com/perforce/?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2019-common&utm_content=email-signature-link&data=04%7C01%7Crkrishnamurthy@perforce.com%7C785c930f82dc42cdee2b08d98e9b8d5d%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637697621028603583%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=%7C1000&sdata=Jlq031LQ06isyWhiwRQSrTiJnjEZzUc38nULB2yIt5w=&reserved=0>
On Feb 14, 2022, at 1:52 PM, Sean Owen <sr...@gmail.com>> wrote:
What vulnerabilities are you referring to? I'm not aware of any critical outstanding issues, but not sure what you have in mind either.
See https://spark.apache.org/versioning-policy.html<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fspark.apache.org%2Fversioning-policy.html&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C76e603a3a65f4995de7608d9f0044ec4%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637804723570591827%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=hFpqIT9rnZhmvSIgWQkqx5SsppiZ61CYgJzfKyYzGy4%3D&reserved=0> - 3.0.x is EOL about now, which doesn't mean there can't be another release, but would not generally expect one.
On Mon, Feb 14, 2022 at 3:48 PM Rajesh Krishnamurthy <rk...@perforce.com>> wrote:
Hi Sean,
Thanks for the response. Does the community have any plans of fixing any vulnerabilities that have been identified in the 3.0.3 version? Do you have any fixed date that 3.0.x is going to be EOL?
Rajesh Krishnamurthy | Enterprise Architect
T: +1 510-833-7189 | M: +1 925-917-9208
http://www.perforce.com<http://www.perforce.com/>
Visit us on: Twitter<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fperforce&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C76e603a3a65f4995de7608d9f0044ec4%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637804723570591827%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=JfbqWgdPMLqKTi4R30jFCejBtjbNj%2B%2F4paZz87SRxNI%3D&reserved=0> | LinkedIn<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fperforce%3Futm_leadsource%3Demail-signature&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C76e603a3a65f4995de7608d9f0044ec4%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637804723570591827%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=nknKNJ6Zn%2Bh2WkC2IJ3nS2fkjKBJRMBqX3Sn7XeU%2FJg%3D&reserved=0> | Facebook<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2Fperforce%2F%3Futm_leadsource%3Demail-signature&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C76e603a3a65f4995de7608d9f0044ec4%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637804723570591827%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=kkWBd7OMHaH6zpo2p6D2TFtj%2FjzrUMmHvthrWgKrvXg%3D&reserved=0>
On Feb 11, 2022, at 3:09 PM, Sean Owen <sr...@gmail.com>> wrote:
3.0.x is about EOL now, and I hadn't heard anyone come forward to push a final maintenance release. Is there a specific issue you're concerned about?
On Fri, Feb 11, 2022 at 4:24 PM Rajesh Krishnamurthy <rk...@perforce.com>> wrote:
Hi there,
We are just wondering if there are any agenda by the Spark community to actively engage development activities on the 3.0.x path. I know we have the latest version of Spark with 3.2.x, but we are just wondering if any development plans to have the vulnerabilities fixed on the 3.0.x path that were identified on the 3.0.3 version, so that we don’t need to migrate to next major version(3.1.x in this case), but at the same time all the vulnerabilities fixed within the minor version upgrade(eg:3.0.x)
Rajesh Krishnamurthy | Enterprise Architect
T: +1 510-833-7189 | M: +1 925-917-9208
http://www.perforce.com<http://www.perforce.com/>
Visit us on: Twitter<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fperforce&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C76e603a3a65f4995de7608d9f0044ec4%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637804723570591827%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=JfbqWgdPMLqKTi4R30jFCejBtjbNj%2B%2F4paZz87SRxNI%3D&reserved=0> | LinkedIn<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fperforce%3Futm_leadsource%3Demail-signature&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C76e603a3a65f4995de7608d9f0044ec4%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637804723570591827%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=nknKNJ6Zn%2Bh2WkC2IJ3nS2fkjKBJRMBqX3Sn7XeU%2FJg%3D&reserved=0> | Facebook<https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2Fperforce%2F%3Futm_leadsource%3Demail-signature&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C76e603a3a65f4995de7608d9f0044ec4%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637804723570591827%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=kkWBd7OMHaH6zpo2p6D2TFtj%2FjzrUMmHvthrWgKrvXg%3D&reserved=0>
This e-mail may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately.
CAUTION: This email originated from outside of the organization. Do not click on links or open attachments unless you recognize the sender and know the content is safe.
This e-mail may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately.
CAUTION: This email originated from outside of the organization. Do not click on links or open attachments unless you recognize the sender and know the content is safe.
This e-mail may contain information that is privileged or confidential. If you are not the intended recipient, please delete the e-mail and any attachments and notify us immediately.
Re: Apache spark 3.0.3 [Spark lower version enhancements]
Posted by Sean Owen <sr...@gmail.com>.
What vulnerabilities are you referring to? I'm not aware of any critical
outstanding issues, but not sure what you have in mind either.
See https://spark.apache.org/versioning-policy.html - 3.0.x is EOL about
now, which doesn't mean there can't be another release, but would not
generally expect one.
On Mon, Feb 14, 2022 at 3:48 PM Rajesh Krishnamurthy <
rkrishnamurthy@perforce.com> wrote:
> Hi Sean,
>
> Thanks for the response. Does the community have any plans of fixing
> any vulnerabilities that have been identified in the 3.0.3 version? Do you
> have any fixed date that 3.0.x is going to be EOL?
>
>
>
> Rajesh Krishnamurthy | Enterprise Architect
> T: +1 510-833-7189 | M: +1 925-917-9208
> http://www.perforce.com
> Visit us on: Twitter
> <https://nam12.safelinks.protection.outlook.com/?url=https://twitter.com/perforce&data=04%7C01%7Crkrishnamurthy@perforce.com%7C67639f41e2f0452b409608d96814840a%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637655259607389020%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=%7C1000&sdata=66YlLKPkoZeh1CyMFzjEG8eFva8EmsPSvRqUFtEf960=&reserved=0>
> | LinkedIn
> <https://nam12.safelinks.protection.outlook.com/?url=https://www.linkedin.com/company/perforce?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2019-common&utm_content=email-signature-link&data=04%7C01%7Crkrishnamurthy@perforce.com%7C785c930f82dc42cdee2b08d98e9b8d5d%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637697621028603583%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=%7C1000&sdata=03F8rlgn5xcYUU3pEkCe85X+Bs4q/WfHlXCne+MshaI=&reserved=0>
> | Facebook
> <https://nam12.safelinks.protection.outlook.com/?url=https://www.facebook.com/perforce/?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2019-common&utm_content=email-signature-link&data=04%7C01%7Crkrishnamurthy@perforce.com%7C785c930f82dc42cdee2b08d98e9b8d5d%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637697621028603583%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=%7C1000&sdata=Jlq031LQ06isyWhiwRQSrTiJnjEZzUc38nULB2yIt5w=&reserved=0>
>
> On Feb 11, 2022, at 3:09 PM, Sean Owen <sr...@gmail.com> wrote:
>
> 3.0.x is about EOL now, and I hadn't heard anyone come forward to push a
> final maintenance release. Is there a specific issue you're concerned about?
>
> On Fri, Feb 11, 2022 at 4:24 PM Rajesh Krishnamurthy <
> rkrishnamurthy@perforce.com> wrote:
>
>> Hi there,
>>
>> We are just wondering if there are any agenda by the Spark community to
>> actively engage development activities on the 3.0.x path. I know we have
>> the latest version of Spark with 3.2.x, but we are just wondering if any
>> development plans to have the vulnerabilities fixed on the 3.0.x path that
>> were identified on the 3.0.3 version, so that we don’t need to migrate to
>> next major version(3.1.x in this case), but at the same time all the
>> vulnerabilities fixed within the minor version upgrade(eg:3.0.x)
>>
>>
>> Rajesh Krishnamurthy | Enterprise Architect
>> T: +1 510-833-7189 | M: +1 925-917-9208
>> http://www.perforce.com
>> Visit us on: Twitter
>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fperforce&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C58d75ccf0bac4f0b9cad08d9edb39a8e%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637802177946368900%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=Ebqm2qr325aNzjHG1X%2B769ad0hmJkW%2B3y%2FwqDy%2Frfzc%3D&reserved=0>
>> | LinkedIn
>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fcompany%2Fperforce%3Futm_leadsource%3Demail-signature&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C58d75ccf0bac4f0b9cad08d9edb39a8e%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637802177946368900%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=8Y0IoBD1HgQNwlZcOO2P9o1h0LfhtKW29gAMzXDVBeM%3D&reserved=0>
>> | Facebook
>> <https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.facebook.com%2Fperforce%2F%3Futm_leadsource%3Demail-signature&data=04%7C01%7Crkrishnamurthy%40perforce.com%7C58d75ccf0bac4f0b9cad08d9edb39a8e%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637802177946368900%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000&sdata=%2BsleREkv0wVR9JSAKIl4TefYEBW5%2FLavS%2FV7rC9ckgM%3D&reserved=0>
>>
>>
>> This e-mail may contain information that is privileged or confidential.
>> If you are not the intended recipient, please delete the e-mail and any
>> attachments and notify us immediately.
>>
>>
>
> *CAUTION:* This email originated from outside of the organization. Do not
> click on links or open attachments unless you recognize the sender and know
> the content is safe.
>
>
>
> This e-mail may contain information that is privileged or confidential. If
> you are not the intended recipient, please delete the e-mail and any
> attachments and notify us immediately.
>
>
Re: Apache spark 3.0.3 [Spark lower version enhancements]
Posted by Sean Owen <sr...@gmail.com>.
3.0.x is about EOL now, and I hadn't heard anyone come forward to push a
final maintenance release. Is there a specific issue you're concerned about?
On Fri, Feb 11, 2022 at 4:24 PM Rajesh Krishnamurthy <
rkrishnamurthy@perforce.com> wrote:
> Hi there,
>
> We are just wondering if there are any agenda by the Spark community to
> actively engage development activities on the 3.0.x path. I know we have
> the latest version of Spark with 3.2.x, but we are just wondering if any
> development plans to have the vulnerabilities fixed on the 3.0.x path that
> were identified on the 3.0.3 version, so that we don’t need to migrate to
> next major version(3.1.x in this case), but at the same time all the
> vulnerabilities fixed within the minor version upgrade(eg:3.0.x)
>
>
> Rajesh Krishnamurthy | Enterprise Architect
> T: +1 510-833-7189 | M: +1 925-917-9208
> http://www.perforce.com
> Visit us on: Twitter
> <https://nam12.safelinks.protection.outlook.com/?url=https://twitter.com/perforce&data=04%7C01%7Crkrishnamurthy@perforce.com%7C67639f41e2f0452b409608d96814840a%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637655259607389020%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=%7C1000&sdata=66YlLKPkoZeh1CyMFzjEG8eFva8EmsPSvRqUFtEf960=&reserved=0>
> | LinkedIn
> <https://nam12.safelinks.protection.outlook.com/?url=https://www.linkedin.com/company/perforce?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2019-common&utm_content=email-signature-link&data=04%7C01%7Crkrishnamurthy@perforce.com%7C785c930f82dc42cdee2b08d98e9b8d5d%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637697621028603583%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=%7C1000&sdata=03F8rlgn5xcYUU3pEkCe85X+Bs4q/WfHlXCne+MshaI=&reserved=0>
> | Facebook
> <https://nam12.safelinks.protection.outlook.com/?url=https://www.facebook.com/perforce/?utm_leadsource=email-signature&utm_source=outlook-direct-email&utm_medium=email&utm_campaign=2019-common&utm_content=email-signature-link&data=04%7C01%7Crkrishnamurthy@perforce.com%7C785c930f82dc42cdee2b08d98e9b8d5d%7C95b666d19a7549ab95a38969fbcdc08c%7C0%7C0%7C637697621028603583%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0=%7C1000&sdata=Jlq031LQ06isyWhiwRQSrTiJnjEZzUc38nULB2yIt5w=&reserved=0>
>
>
> This e-mail may contain information that is privileged or confidential. If
> you are not the intended recipient, please delete the e-mail and any
> attachments and notify us immediately.
>
>