You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@spark.apache.org by "Sean Owen (JIRA)" <ji...@apache.org> on 2016/11/25 09:56:59 UTC
[jira] [Updated] (SPARK-18586) netty-3.8.0.Final.jar has
vulnerability CVE-2014-3488 and CVE-2014-0193
[ https://issues.apache.org/jira/browse/SPARK-18586?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sean Owen updated SPARK-18586:
------------------------------
Priority: Major (was: Critical)
Spark doesn't use netty 3, but it is pulled in as a transitive dependency. We can't get rid of it, but, it also isn't even necessarily exposed.
Do these CVEs even affect Spark? We can try managing the version up to 3.8.3 to resolve one, or 3.9.x to resolve both, but this won't change the version of Netty that ends up on the classpath if deploying on an existing cluster.
> netty-3.8.0.Final.jar has vulnerability CVE-2014-3488 and CVE-2014-0193
> ------------------------------------------------------------------------
>
> Key: SPARK-18586
> URL: https://issues.apache.org/jira/browse/SPARK-18586
> Project: Spark
> Issue Type: Bug
> Components: Build
> Reporter: meiyoula
>
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org