You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@spark.apache.org by "Sean Owen (JIRA)" <ji...@apache.org> on 2019/04/05 18:05:00 UTC

[jira] [Resolved] (SPARK-27358) Update jquery to 1.12.x to pick up security fixes

     [ https://issues.apache.org/jira/browse/SPARK-27358?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Sean Owen resolved SPARK-27358.
-------------------------------
       Resolution: Fixed
    Fix Version/s: 2.3.4
                   2.4.2
                   3.0.0

Issue resolved by pull request 24288
[https://github.com/apache/spark/pull/24288]

> Update jquery to 1.12.x to pick up security fixes
> -------------------------------------------------
>
>                 Key: SPARK-27358
>                 URL: https://issues.apache.org/jira/browse/SPARK-27358
>             Project: Spark
>          Issue Type: Improvement
>          Components: Web UI
>    Affects Versions: 3.0.0
>            Reporter: Sean Owen
>            Assignee: Sean Owen
>            Priority: Major
>             Fix For: 3.0.0, 2.4.2, 2.3.4
>
>
> jquery 1.11.1 is affected by a CVE:
> https://www.cvedetails.com/cve/CVE-2016-7103/
> This triggers some warnings in tools that check for known security issues in dependencies.
> Note that I do not know whether this actually manifests as a security problem for Spark. But, we can easily update to 1.12.4 (latest 1.x version) to resolve it.
> (Note that https://www.cvedetails.com/cve/CVE-2015-9251/ seems to have been fixed in 1.12 but then unfixed, so this may require a much bigger jump to jquery 3.x if it's a problem; leaving that until later.)
> Along the way we will want to update jquery datatables to 1.10.18 to match jquery 1.12.4.
> Relatedly, jquery mustache 0.8.1 also has a CVE: https://snyk.io/test/npm/mustache/0.8.2
> I propose to update to 2.3.12 (latest 2.x) to resolve it.
> Although targeted for 3.0, I believe this is back-port-able to 2.4.x if needed, assuming we find no UI issues.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@spark.apache.org
For additional commands, e-mail: issues-help@spark.apache.org