You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@spark.apache.org by sujith71955 <su...@gmail.com> on 2018/02/13 06:21:39 UTC
Regarding NimbusDS JOSE JWT jar 3.9 security vulnerability
Hi Folks,
I observed that in spark 2.2.x version we are using NimbusDS JOSE JWT jar
3.9 version, but i saw few vulnerability has been reported for this
particular version jar. please refer below details
https://nvd.nist.gov/vuln/detail/CVE-2017-12973,
https://www.cvedetails.com/cve/CVE-2017-12972/
As per details this vulnerability is been detected prior to 4.39 jars, we
are planning to upgrade this jar.
Just wanted to know that is their any reason why this jar has not been
upgraded in community release as this consists of vulnerabilities.
Appreciate your suggestions.
Thanks,
Sujith
--
Sent from: http://apache-spark-developers-list.1001551.n3.nabble.com/
---------------------------------------------------------------------
To unsubscribe e-mail: dev-unsubscribe@spark.apache.org
Re: Regarding NimbusDS JOSE JWT jar 3.9 security vulnerability
Posted by sujith chacko <su...@gmail.com>.
Hi Steve,
While we are building spark 2.1 version this particular JWT jar is getting
added as part of transitive dependency of Hadoop-auth-2.7.2 project. I
discussed with one of the Hadoop pmc, he will analyse the impact of this
particular issue in Hadoop . Once I will get more information I will update
you about this.
Thanks,
Sujith
On Wed, 14 Feb 2018 at 07 PM, Steve Loughran <st...@hortonworks.com> wrote:
> might be coming in transitively
>
> https://issues.apache.org/jira/browse/HADOOP-14799
>
> On 13 Feb 2018, at 18:18, PJ Fanning <fa...@yahoo.com> wrote:
>
> Hi Sujith,
> I didn't find the nimbusds dependency in any spark 2.2 jars. Maybe I missed
> something. Could you tell us which spark jar has the nimbusds dependency?
>
>
>
>
>
>
>
> --
> Sent from: http://apache-spark-developers-list.1001551.n3.nabble.com/
>
> ---------------------------------------------------------------------
> To unsubscribe e-mail: dev-unsubscribe@spark.apache.org
> <de...@spark.apache.org>
>
>
Re: Regarding NimbusDS JOSE JWT jar 3.9 security vulnerability
Posted by Steve Loughran <st...@hortonworks.com>.
might be coming in transitively
https://issues.apache.org/jira/browse/HADOOP-14799
On 13 Feb 2018, at 18:18, PJ Fanning <fa...@yahoo.com>> wrote:
Hi Sujith,
I didn't find the nimbusds dependency in any spark 2.2 jars. Maybe I missed
something. Could you tell us which spark jar has the nimbusds dependency?
--
Sent from: http://apache-spark-developers-list.1001551.n3.nabble.com/
---------------------------------------------------------------------
To unsubscribe e-mail: dev-unsubscribe@spark.apache.org<ma...@spark.apache.org>
Re: Regarding NimbusDS JOSE JWT jar 3.9 security vulnerability
Posted by PJ Fanning <fa...@yahoo.com>.
Hi Sujith,
I didn't find the nimbusds dependency in any spark 2.2 jars. Maybe I missed
something. Could you tell us which spark jar has the nimbusds dependency?
--
Sent from: http://apache-spark-developers-list.1001551.n3.nabble.com/
---------------------------------------------------------------------
To unsubscribe e-mail: dev-unsubscribe@spark.apache.org