You are viewing a plain text version of this content. The canonical link for it is here.

Posted to reviews@spark.apache.org by GitBox <gi...@apache.org> on 2022/02/23 12:17:54 UTC

[GitHub] [spark] bjornjorgensen opened a new pull request #35630: Upgrade h2 from 2.0.204 to 2.1.210 in /sql/core

bjornjorgensen opened a new pull request #35630:
URL: https://github.com/apache/spark/pull/35630


   ### What changes were proposed in this pull request?
   Bump h2 from 2.0.204 to 2.1.210 in /sql/core
   
   ### Why are the changes needed?
   [Arbitrary code execution in H2 Console](https://github.com/advisories/GHSA-45hx-wfhj-473x)
   and   
   [CVE-2021-42392](https://nvd.nist.gov/vuln/detail/CVE-2021-42392)
    
   ### Does this PR introduce _any_ user-facing change?
   Some users use remote security scanners and this is one of the issues that comes up. How this can do some damage with spark is highly uncertain. but let's remove the uncertainty that any user may have.
   
   
   ### How was this patch tested?
   All test must pass.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] srowen commented on pull request #35630: [SPARK-38287][BUILD][SQL] Upgrade `h2` from 2.0.204 to 2.1.210 in /sql/core

Posted by GitBox <gi...@apache.org>.

srowen commented on pull request #35630:
URL: https://github.com/apache/spark/pull/35630#issuecomment-1048763930


   Looking OK though you may have to run `./dev/test-dependencies.sh --replace_manifest` to update the files we use to detect dependency changes.
   
   But it's a test-only dependency, so this doesn't actually affect Spark at runtime, and may not show up.
   
   I think it's OK to update but Spark wouldn't be susceptible to any CVE if it does not use h2 itself. Is the security scanner flagging test-only dependencies or marking them as such? if not it should; if it does, you can generally not worry about them as an end user. But if they're trivial to update, sure.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] bjornjorgensen commented on pull request #35630: [SPARK-38287][BUILD][SQL][TESTS] Upgrade `h2` from 2.0.204 to 2.1.210 in /sql/core

Posted by GitBox <gi...@apache.org>.

bjornjorgensen commented on pull request #35630:
URL: https://github.com/apache/spark/pull/35630#issuecomment-1049109727


   @dongjoon-hyun Yes, her is the original [Bump h2 from 2.0.204 to 2.1.210 in /sql/core](https://github.com/bjornjorgensen/spark/pull/2)   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] dongjoon-hyun commented on pull request #35630: [SPARK-38287][BUILD][SQL][TESTS] Upgrade `h2` from 2.0.204 to 2.1.210 in /sql/core

Posted by GitBox <gi...@apache.org>.

dongjoon-hyun commented on pull request #35630:
URL: https://github.com/apache/spark/pull/35630#issuecomment-1049115650


   Thank you for updates. Merged to master for Apache Spark 3.3.0.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] bjornjorgensen commented on pull request #35630: [SPARK-38287][BUILD][SQL] Upgrade `h2` from 2.0.204 to 2.1.210 in /sql/core

Posted by GitBox <gi...@apache.org>.

bjornjorgensen commented on pull request #35630:
URL: https://github.com/apache/spark/pull/35630#issuecomment-1048777565


   More info about the scanner [About alerts for vulnerable dependencies](https://docs.github.com/en/code-security/supply-chain-security/managing-vulnerabilities-in-your-projects-dependencies/about-alerts-for-vulnerable-dependencies) 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] dongjoon-hyun closed pull request #35630: [SPARK-38287][BUILD][SQL][TESTS] Upgrade `h2` from 2.0.204 to 2.1.210 in /sql/core

Posted by GitBox <gi...@apache.org>.

dongjoon-hyun closed pull request #35630:
URL: https://github.com/apache/spark/pull/35630


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] bjornjorgensen commented on pull request #35630: [SPARK-38287][BUILD][SQL] Upgrade `h2` from 2.0.204 to 2.1.210 in /sql/core

Posted by GitBox <gi...@apache.org>.

bjornjorgensen commented on pull request #35630:
URL: https://github.com/apache/spark/pull/35630#issuecomment-1048771018


   @srowen Thank you. When it is necessary to run `./dev/test-dependencies.sh --replace_manifest`, errors appear in the log. It does not do this time and when I ran `./dev/test-dependencies.sh --replace_manifest` then no files are changed.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org