You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@spark.apache.org by sr...@apache.org on 2021/04/08 15:45:47 UTC
[spark] branch branch-2.4 updated: [SPARK-34988][CORE][2.4] Upgrade
Jetty for CVE-2021-28165
This is an automated email from the ASF dual-hosted git repository.
srowen pushed a commit to branch branch-2.4
in repository https://gitbox.apache.org/repos/asf/spark.git
The following commit(s) were added to refs/heads/branch-2.4 by this push:
new f7ac0db [SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165
f7ac0db is described below
commit f7ac0dbe63cda76fa1882574234780f1d5e14858
Author: Kousuke Saruta <sa...@oss.nttdata.com>
AuthorDate: Thu Apr 8 10:42:12 2021 -0500
[SPARK-34988][CORE][2.4] Upgrade Jetty for CVE-2021-28165
### What changes were proposed in this pull request?
This PR backports #32091.
This PR upgrades the version of Jetty to 9.4.39.
### Why are the changes needed?
CVE-2021-28165 affects the version of Jetty that Spark uses and it seems to be a little bit serious.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28165
### Does this PR introduce _any_ user-facing change?
No.
### How was this patch tested?
Existing tests.
Closes #32093 from sarutak/backport-SPARK-34988.
Authored-by: Kousuke Saruta <sa...@oss.nttdata.com>
Signed-off-by: Sean Owen <sr...@gmail.com>
---
dev/deps/spark-deps-hadoop-3.1 | 4 ++--
pom.xml | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/dev/deps/spark-deps-hadoop-3.1 b/dev/deps/spark-deps-hadoop-3.1
index 90775e1..7e0871b 100644
--- a/dev/deps/spark-deps-hadoop-3.1
+++ b/dev/deps/spark-deps-hadoop-3.1
@@ -116,8 +116,8 @@ jersey-container-servlet/2.22.2//jersey-container-servlet-2.22.2.jar
jersey-guava/2.22.2//jersey-guava-2.22.2.jar
jersey-media-jaxb/2.22.2//jersey-media-jaxb-2.22.2.jar
jersey-server/2.22.2//jersey-server-2.22.2.jar
-jetty-webapp/9.4.36.v20210114//jetty-webapp-9.4.36.v20210114.jar
-jetty-xml/9.4.36.v20210114//jetty-xml-9.4.36.v20210114.jar
+jetty-webapp/9.4.39.v20210325//jetty-webapp-9.4.39.v20210325.jar
+jetty-xml/9.4.39.v20210325//jetty-xml-9.4.39.v20210325.jar
jline/2.14.6//jline-2.14.6.jar
joda-time/2.9.3//joda-time-2.9.3.jar
jodd-core/3.5.2//jodd-core-3.5.2.jar
diff --git a/pom.xml b/pom.xml
index 2b51d4d..972c359 100644
--- a/pom.xml
+++ b/pom.xml
@@ -134,7 +134,7 @@
<orc.version>1.5.5</orc.version>
<orc.classifier>nohive</orc.classifier>
<hive.parquet.version>1.6.0</hive.parquet.version>
- <jetty.version>9.4.36.v20210114</jetty.version>
+ <jetty.version>9.4.39.v20210325</jetty.version>
<javaxservlet.version>3.1.0</javaxservlet.version>
<chill.version>0.9.3</chill.version>
<ivy.version>2.4.0</ivy.version>
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@spark.apache.org
For additional commands, e-mail: commits-help@spark.apache.org