You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spark.apache.org by Pralabh Kumar <pr...@gmail.com> on 2022/05/04 15:45:37 UTC
CVE-2021-22569
Hi Dev Team
Spark is using protobuf 2.5.0 which is vulnerable to CVE-2021-22569. CVE
recommends to use protobuf 3.19.2
Please let me know , if there is a jira to track the update w.r.t CVE and
Spark or should I create the one ?
Regards
Pralabh Kumar
Re: CVE-2021-22569
Posted by Sean Owen <sr...@gmail.com>.
Sure, did you search the JIRA?
https://issues.apache.org/jira/browse/SPARK-38340
Does this affect Spark's usage of protobuf?
Looks like it can't be updated to 3.x -- this is really not a dependency of
Spark but underlying dependencies.
Feel free to re-attempt a change that might work, at least with Hadoop 3 if
possible.
On Wed, May 4, 2022 at 10:46 AM Pralabh Kumar <pr...@gmail.com>
wrote:
> Hi Dev Team
>
> Spark is using protobuf 2.5.0 which is vulnerable to CVE-2021-22569. CVE
> recommends to use protobuf 3.19.2
>
> Please let me know , if there is a jira to track the update w.r.t CVE and
> Spark or should I create the one ?
>
> Regards
> Pralabh Kumar
>