You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@spark.apache.org by "Andrew Kyle Purtell (Jira)" <ji...@apache.org> on 2022/10/06 21:05:00 UTC

[jira] [Created] (SPARK-40685) Update kryo transitive dependency to 5.2.0 or later

Andrew Kyle Purtell created SPARK-40685:
-------------------------------------------

             Summary: Update kryo transitive dependency to 5.2.0 or later
                 Key: SPARK-40685
                 URL: https://issues.apache.org/jira/browse/SPARK-40685
             Project: Spark
          Issue Type: Bug
          Components: Spark Core
    Affects Versions: 3.3.0
            Reporter: Andrew Kyle Purtell


Spark 3.3 currently ships with kryo-shaded-4.0.2.jar, subject to [kryo#829|[https://github.com/EsotericSoftware/kryo/issues/829],] detected by several flavors of static vulnerability assessment tools, as a medium scored problem. 

Kryo versions 5.2.0 or later have a fix for this issue.

{noformat}
[INFO] org.apache.spark:spark-unsafe_2.12:jar:3.3.2-SNAPSHOT
[INFO] +- com.twitter:chill_2.12:jar:0.10.0:compile
[INFO] |  \- com.esotericsoftware:kryo-shaded:jar:4.0.2:compile
{noformat}

{noformat}
[INFO] org.apache.spark:spark-core_2.12:jar:3.3.2-SNAPSHOT
[INFO] +- com.twitter:chill_2.12:jar:0.10.0:compile
[INFO] |  \- com.esotericsoftware:kryo-shaded:jar:4.0.2:compile
{noformat}

This issue is not meant to imply a security problem in Spark itself.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org