You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@spark.apache.org by "Steve Loughran (JIRA)" <ji...@apache.org> on 2016/03/01 19:24:18 UTC

[jira] [Resolved] (SPARK-13471) Upgrade spark-project hive 1.2.1 jar to one with a groovy 2.4.4 dependency

     [ https://issues.apache.org/jira/browse/SPARK-13471?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Steve Loughran resolved SPARK-13471.
------------------------------------
    Resolution: Won't Fix

> Upgrade spark-project hive 1.2.1 jar to one with a groovy 2.4.4 dependency
> --------------------------------------------------------------------------
>
>                 Key: SPARK-13471
>                 URL: https://issues.apache.org/jira/browse/SPARK-13471
>             Project: Spark
>          Issue Type: Improvement
>          Components: SQL
>    Affects Versions: 1.6.0
>            Reporter: Steve Loughran
>
> The version of groovy that Hive 1.2.1 is built with contains a serialization vulnerability, 
> While this shouldn't expose Spark to any attacks (it doesn't need the groovy artifacts to work), the POMs may still export that transitive groovy dependency.
> Fix: declare that org.spark-project.hive depends on groovy 2.4.4, rebuild and republish, update spark dependencies to new version



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org