[jira] [Resolved] (SPARK-38262) Upgrade Google guava to version 30.0-jre

["Sean R. Owen (Jira)" <ji...@apache.org>]

     [ https://issues.apache.org/jira/browse/SPARK-38262?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sean R. Owen resolved SPARK-38262.
----------------------------------
    Resolution: Duplicate

yes, this is a duplicate. Been discussed many times.

> Upgrade Google guava to version 30.0-jre
> ----------------------------------------
>
>                 Key: SPARK-38262
>                 URL: https://issues.apache.org/jira/browse/SPARK-38262
>             Project: Spark
>          Issue Type: Bug
>          Components: Build
>    Affects Versions: 3.3.0
>            Reporter: Bjørn Jørgensen
>            Priority: Major
>
> This is duplicated many times like in [SPARK-32502|https://issues.apache.org/jira/browse/SPARK-32502]  
> Apache Spark is using com.google.guava:guava version 14.0.1 which has two security issues.
> [CVE-2018-10237|https://nvd.nist.gov/vuln/detail/CVE-2018-10237] 
> [CVE-2020-8908|https://nvd.nist.gov/vuln/detail/CVE-2020-8908] 
> We should upgrade to [version 30.0|https://mvnrepository.com/artifact/com.google.guava/guava/30.0-jre] 
> I will add some links to what I have found about this issue 
> [HIVE-25617:fix bug introduced by CVE-2020-8908|https://github.com/apache/hive/pull/2725]
> [Upgrade Guava to 27|https://github.com/apache/druid/pull/10683]     
> [HIVE-21961: Upgrade Hadoop to 3.1.4, Guava to 27.0-jre and Jetty to 9.4.20.v20190813|https://github.com/apache/hive/pull/1821]   
> [Shade Guava manually|https://github.com/apache/druid/issues/6942] 
> [[DISCUSS] Hadoop 3, dropping support for Hadoop 2.x|https://lists.apache.org/thread/zmc389trnkh6x444so8mdb2h0x0noqq4]     



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org