[GitHub] [spark] bjornjorgensen opened a new pull request, #36544: [SPARK-39183] upgrade xerces

[GitBox <gi...@apache.org>]

bjornjorgensen opened a new pull request, #36544:
URL: https://github.com/apache/spark/pull/36544

   
   ### What changes were proposed in this pull request?
   Upgrade Apache Xerces Java to 2.12.2
   
   
   ### Why are the changes needed?
   [Infinite Loop in Apache Xerces Java](https://github.com/advisories/GHSA-h65f-jvqw-m9fj)
   
   There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
   
   References
   https://nvd.nist.gov/vuln/detail/CVE-2022-23437
   https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl
   http://www.openwall.com/lists/oss-security/2022/01/24/3
   https://www.oracle.com/security-alerts/cpuapr2022.html
   
   
   ### Does this PR introduce _any_ user-facing change?
   No.
   
   
   ### How was this patch tested?
   Pass GA.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] srowen commented on pull request #36544: [SPARK-39183][BUILD] Upgrade Apache Xerces Java to 2.12.2

[GitBox <gi...@apache.org>]

srowen commented on PR #36544:
URL: https://github.com/apache/spark/pull/36544#issuecomment-1128225167

   Merged to master/3.3/3.2


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] srowen closed pull request #36544: [SPARK-39183][BUILD] Upgrade Apache Xerces Java to 2.12.2

[GitBox <gi...@apache.org>]

srowen closed pull request #36544: [SPARK-39183][BUILD] Upgrade Apache Xerces Java to 2.12.2
URL: https://github.com/apache/spark/pull/36544


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] AmplabJenkins commented on pull request #36544: [SPARK-39183][BUILD] Upgrade Apache Xerces Java to 2.12.2

[GitBox <gi...@apache.org>]

AmplabJenkins commented on PR #36544:
URL: https://github.com/apache/spark/pull/36544#issuecomment-1126831264

   Can one of the admins verify this patch?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org