You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@spark.apache.org by "Steve Loughran (JIRA)" <ji...@apache.org> on 2016/03/01 19:24:18 UTC
[jira] [Resolved] (SPARK-13471) Upgrade spark-project hive 1.2.1
jar to one with a groovy 2.4.4 dependency
[ https://issues.apache.org/jira/browse/SPARK-13471?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Steve Loughran resolved SPARK-13471.
------------------------------------
Resolution: Won't Fix
> Upgrade spark-project hive 1.2.1 jar to one with a groovy 2.4.4 dependency
> --------------------------------------------------------------------------
>
> Key: SPARK-13471
> URL: https://issues.apache.org/jira/browse/SPARK-13471
> Project: Spark
> Issue Type: Improvement
> Components: SQL
> Affects Versions: 1.6.0
> Reporter: Steve Loughran
>
> The version of groovy that Hive 1.2.1 is built with contains a serialization vulnerability,
> While this shouldn't expose Spark to any attacks (it doesn't need the groovy artifacts to work), the POMs may still export that transitive groovy dependency.
> Fix: declare that org.spark-project.hive depends on groovy 2.4.4, rebuild and republish, update spark dependencies to new version
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org