You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@spark.apache.org by "Sean R. Owen (Jira)" <ji...@apache.org> on 2021/03/12 17:58:00 UTC
[jira] [Resolved] (SPARK-34617) CVEs in the library dependencies
[ https://issues.apache.org/jira/browse/SPARK-34617?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sean R. Owen resolved SPARK-34617.
----------------------------------
Resolution: Not A Problem
You're welcome to propose dependency updates in a PR if they're easy to take, just in case.
But we don't generally act on static reports like these unless there's any plausible theory it affects Spark.
Jackson seems to be the main thing here, but we're already on 2.11.4? Reopen if you think there's something not already resolved that affects Spark.
> CVEs in the library dependencies
> --------------------------------
>
> Key: SPARK-34617
> URL: https://issues.apache.org/jira/browse/SPARK-34617
> Project: Spark
> Issue Type: Bug
> Components: PySpark
> Affects Versions: 3.1.1
> Reporter: Douglas Gerhardt
> Priority: Critical
>
> Hi, I found various CVEs in dependency libraries bundled in pyspark shaded JARs, such as
> * htrace-core4-4.1.0-incubating.jar:jackson-databind
> with very old versions that are being flagged up in my vulnerability scans.
> Are these already being addressed? If not, could you please update the references to newer versions?
> |CVE ID|Type|Severity|Packages|Package Version|CVSS|Fix Status|
> |CVE-2017-18640|java|high|org.yaml_snakeyaml|1.24|7.5|fixed in 1.26|
> |CVE-2020-25649|java|high|com.fasterxml.jackson.core_jackson-databind|2.10.0|7.5|fixed in 2.10.5.1, 2.9.10.7, 2.6.7.4|
> |CVE-2020-35491|java|high|com.fasterxml.jackson.core_jackson-databind|2.4.0|8.1|fixed in 2.9.10.8|
> |CVE-2020-35490|java|high|com.fasterxml.jackson.core_jackson-databind|2.4.0|8.1|fixed in 2.9.10.8|
> |CVE-2018-14718|java|critical|com.fasterxml.jackson.core_jackson-databind|2.4.0|9.8|fixed in 2.9.7|
> |CVE-2018-7489|java|critical|com.fasterxml.jackson.core_jackson-databind|2.4.0|9.8|fixed in 2.9.5, 2.8.11.1, 2.7.9.3|
> |CVE-2020-25649|java|high|com.fasterxml.jackson.core_jackson-databind|2.10.0|7.5|fixed in 2.10.5.1, 2.9.10.7, 2.6.7.4|
> |CVE-2020-35491|java|high|com.fasterxml.jackson.core_jackson-databind|2.4.0|8.1|fixed in 2.9.10.8|
> |CVE-2020-35490|java|high|com.fasterxml.jackson.core_jackson-databind|2.4.0|8.1|fixed in 2.9.10.8|
> |CVE-2018-14718|java|critical|com.fasterxml.jackson.core_jackson-databind|2.4.0|9.8|fixed in 2.9.7|
> |CVE-2018-7489|java|critical|com.fasterxml.jackson.core_jackson-databind|2.4.0|9.8|fixed in 2.9.5, 2.8.11.1, 2.7.9.3|
> |CVE-2017-18640|java|high|org.yaml_snakeyaml|1.24|7.5|fixed in 1.26|
> |CVE-2020-25649|java|high|com.fasterxml.jackson.core_jackson-databind|2.10.0|7.5|fixed in 2.10.5.1, 2.9.10.7, 2.6.7.4|
> |CVE-2020-35491|java|high|com.fasterxml.jackson.core_jackson-databind|2.4.0|8.1|fixed in 2.9.10.8|
> |CVE-2020-35490|java|high|com.fasterxml.jackson.core_jackson-databind|2.4.0|8.1|fixed in 2.9.10.8|
> |CVE-2018-14718|java|critical|com.fasterxml.jackson.core_jackson-databind|2.4.0|9.8|fixed in 2.9.7|
> |CVE-2018-7489|java|critical|com.fasterxml.jackson.core_jackson-databind|2.4.0|9.8|fixed in 2.9.5, 2.8.11.1, 2.7.9.3|
> |CVE-2017-18640|java|high|org.yaml_snakeyaml|1.24|7.5|fixed in 1.26|
> |CVE-2019-17195|java|critical|com.nimbusds_nimbus-jose-jwt|4.41.1|9.8|fixed in 7.9|
>
> Similar issues, for reference:
> # CAMEL-14640
> # https://issues.apache.org/jira/browse/HADOOP-16690
> # ZEPPELIN-4657
> #
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org