[ https://issues.apache.org/jira/browse/SPARK-35517?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17384395#comment-17384395 ]
Sean R. Owen commented on SPARK-35517: -------------------------------------- Spark 3.2 is coming in a month or so. Spark doesn't use it directly to my knowledge anyway, but it's best to update, and already done. > Critical Vulnerabilities: jackson-databind 2.4.0 shipped with > htrace-core4-4.1.0-incubating.jar > ----------------------------------------------------------------------------------------------- > > Key: SPARK-35517 > URL: https://issues.apache.org/jira/browse/SPARK-35517 > Project: Spark > Issue Type: Bug > Components: Build > Affects Versions: 3.0.2 > Reporter: Louis DEFLANDRE > Priority: Major > > Vulnerabilities scanner is highlighting following CRITICAL vulnerabilities in > {{spark-3.0.2-bin-hadoop3.2}} coming from obsolete {{jackson-databind}} > {{2.4.0}} : > * [CVE-2018-7489|https://nvd.nist.gov/vuln/detail/CVE-2018-7489] > * > [CVE-2018-14718|https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-14718] > This package is shipped within {{jars/htrace-core4-4.1.0-incubating.jar}} -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org