spark-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Richardson <>
Subject Re: CVEs
Date Tue, 22 Jun 2021 00:45:46 GMT
Ok, that sounds like a plan. I will gather what I found and either reach
out on the security channel and/or try and upgrade with a pull request.

Thanks for pointing me in the right direction.

On Mon, Jun 21, 2021 at 4:52 PM Sean Owen <> wrote:

> Yeah if it were clearly exploitable right now we'd handle it via private@
> instead of JIRA; depends on what you think the importance is. If in doubt
> reply to
> On Mon, Jun 21, 2021 at 6:50 PM Holden Karau <> wrote:
>> If you get to a point where you find something you think is highly likely
>> a valid vulnerability the best path forward is likely reaching out to
>> private@ to figure out how to do a security release.
>> On Mon, Jun 21, 2021 at 4:42 PM Eric Richardson <>
>> wrote:
>>> Thanks for the quick reply. Yes, since it is included in the jars then
>>> it is unclear whether it is used internally at least to me.
>>> I can substitute the jar in the distro to avoid the scanner from finding
>>> it but then it is unclear whether I could be breaking something or not.
>>> Given that 3.1.2 is the latest release, I guess you might expect that it
>>> would pass the scanners but I am not sure if that version spans 3.0.x and
>>> 3.1.x or not either.
>>> I can report findings in an issue where I am pretty darn sure it is a
>>> valid vulnerability if that is ok? That at least would raise the
>>> visibility.
>>> Will 3.2.x be Scala 2.13.x only or cross compiled with 2.12?
>>> I realize Spark is a beast so I just want to help if I can but also not
>>> create extra work if it is not useful for me or the Spark team/contributors.
>>> On Mon, Jun 21, 2021 at 3:43 PM Sean Owen <> wrote:
>>>> Whether it matters really depends on whether the CVE affects Spark.
>>>> Sometimes it clearly could and so we'd try to back-port dependency updates
>>>> to active branches.
>>>> Sometimes it clearly doesn't and hey sometimes the dependency is
>>>> updated anyway for good measure (mostly to keep this off static analyzer
>>>> reports) but probably wouldn't backport.
>>>> Jackson has been a persistent one but in this case Spark is already on
>>>> 2.12.x in master, and it wasn't clear last time I looked at those CVEs that
>>>> they can affect Spark itself. End user apps perhaps, but those apps can
>>>> supply their own Jackson.
>>>> If someone had a legit view that this is potentially more serious I
>>>> think we could _probably backport that update, but Jackson can be a little
>>>> bit tricky with compatibility IIRC so would just bear some testing.
>>>> On Mon, Jun 21, 2021 at 5:27 PM Eric Richardson <>
>>>> wrote:
>>>>> Hi,
>>>>> I am working with Spark 3.1.2 and getting several vulnerabilities
>>>>> popping up. I am wondering if the Spark distros are scanned etc. and
>>>>> people resolve these.
>>>>> For example. I am finding -
>>>>> This looks like it is fixed in 2.11.0 -
>>>>> - but Spark
>>>>> supplies 2.10.0.
>>>>> Thanks,
>>>>> Eric
>>>> --
>> Twitter:
>> Books (Learning Spark, High Performance Spark, etc.):
>>  <>
>> YouTube Live Streams:

View raw message