You are viewing a plain text version of this content. The canonical link for it is here.

Posted to reviews@spark.apache.org by Fokko <gi...@git.apache.org> on 2018/11/09 09:01:08 UTC

[GitHub] spark pull request #22992: [SPARK-24229] Update to Apache Thrift 0.10.0

GitHub user Fokko opened a pull request:

    https://github.com/apache/spark/pull/22992

    [SPARK-24229] Update to Apache Thrift 0.10.0

    The CVE detector is complaining about a vulnerability: https://nvd.nist.gov/vuln/detail/CVE-2016-5397#vulnCurrentDescriptionTitle
    
    ## What changes were proposed in this pull request?
    
    (Please fill in changes proposed in this fix)
    
    ## How was this patch tested?
    
    (Please explain how this patch was tested. E.g. unit tests, integration tests, manual tests)
    (If this patch involves UI changes, please attach a screenshot; otherwise, remove this)
    
    Please review http://spark.apache.org/contributing.html before opening a pull request.


You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/Fokko/spark SPARK-24229

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/spark/pull/22992.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #22992
    
----
commit 07d60d9e886a8549710ccd00062bfe75de9a25b7
Author: Fokko Driesprong <fo...@...>
Date:   2018-11-09T08:59:21Z

    [SPARK-24229] Update to Apache Thrift 0.10.0
    
    The CVE detector is complaining about a vulnerability

----


---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] spark issue #22992: [SPARK-24229] Update to Apache Thrift 0.10.0

Posted by dongjoon-hyun <gi...@git.apache.org>.

Github user dongjoon-hyun commented on the issue:

    https://github.com/apache/spark/pull/22992
  
    Thank you, @Fokko . 
    
    The description says `Go client`. If this is language dependent, does it affect Apache Spark? Could you elaborate more detail in the PR description about the relation with Apache Spark?
    ```
    The Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool. Affected Apache Thrift 0.9.3 and older, Fixed in Apache Thrift 0.10.0.
    ```


---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] spark issue #22992: [SPARK-24229] Update to Apache Thrift 0.10.0

Posted by dongjoon-hyun <gi...@git.apache.org>.

Github user dongjoon-hyun commented on the issue:

    https://github.com/apache/spark/pull/22992
  
    @mingwandroid . If you are worrying about the real issues, could you lend us your hand, please? Reopening the issue with the valid reproducible case is always welcome.
    
    Apache Spark community do seriously care about the correct CVE report, and provide backports.
    - http://spark.apache.org/security.html
    
    Alarming real risks is the only way to make people happy. We should not make people surprise with wrong reasons. Apache Spark issues and commits are precious resources. Not only you, all downstream are affected. So, we are trying to do our best to deliver only the correct patch.
    
    If we cry `Wolf, Wolf` for incorrect situation repeatedly, Apache Spark security alert's credibility will go down gradually (and seriously eventually). Nobody believes Spark's security alart in the future.


---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] spark issue #22992: [SPARK-24229] Update to Apache Thrift 0.10.0

Posted by AmplabJenkins <gi...@git.apache.org>.

Github user AmplabJenkins commented on the issue:

    https://github.com/apache/spark/pull/22992
  
    Can one of the admins verify this patch?


---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] spark issue #22992: [SPARK-24229] Update to Apache Thrift 0.10.0

Posted by AmplabJenkins <gi...@git.apache.org>.

Github user AmplabJenkins commented on the issue:

    https://github.com/apache/spark/pull/22992
  
    Can one of the admins verify this patch?


---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] spark issue #22992: [SPARK-24229] Update to Apache Thrift 0.10.0

Posted by dongjoon-hyun <gi...@git.apache.org>.

Github user dongjoon-hyun commented on the issue:

    https://github.com/apache/spark/pull/22992
  
    Please provide a test case or reproducible step for the issue. Otherwise, please close this PR.


---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] spark issue #22992: [SPARK-24229] Update to Apache Thrift 0.10.0

Posted by mingwandroid <gi...@git.apache.org>.

Github user mingwandroid commented on the issue:

    https://github.com/apache/spark/pull/22992
  
    Can you not just update this version so that people who care about CVE scan results can still use Apache Spark without worrying?


---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] spark issue #22992: [SPARK-24229] Update to Apache Thrift 0.10.0

Posted by AmplabJenkins <gi...@git.apache.org>.

Github user AmplabJenkins commented on the issue:

    https://github.com/apache/spark/pull/22992
  
    Can one of the admins verify this patch?


---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] spark pull request #22992: [SPARK-24229] Update to Apache Thrift 0.10.0

Posted by Fokko <gi...@git.apache.org>.

Github user Fokko closed the pull request at:

    https://github.com/apache/spark/pull/22992


---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org