[spark] branch branch-3.2 updated: [SPARK-39183][BUILD] Upgrade Apache Xerces Java to 2.12.2

Mon, 16 May 2022 16:11:00 -0700 

This is an automated email from the ASF dual-hosted git repository.

srowen pushed a commit to branch branch-3.2
in repository https://gitbox.apache.org/repos/asf/spark.git


The following commit(s) were added to refs/heads/branch-3.2 by this push:
     new e7060b79752 [SPARK-39183][BUILD] Upgrade Apache Xerces Java to 2.12.2
e7060b79752 is described below

commit e7060b79752522881042ff4d4c39a8e72d6b5f1a
Author: bjornjorgensen <bjornjorgen...@gmail.com>
AuthorDate: Mon May 16 18:10:08 2022 -0500

    [SPARK-39183][BUILD] Upgrade Apache Xerces Java to 2.12.2
    
    ### What changes were proposed in this pull request?
    Upgrade Apache Xerces Java to 2.12.2
    
    [Release notes](https://xerces.apache.org/xerces2-j/releases.html)
    
    ### Why are the changes needed?
    [Infinite Loop in Apache Xerces 
Java](https://github.com/advisories/GHSA-h65f-jvqw-m9fj)
    
    There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser 
when handling specially crafted XML document payloads. This causes, the XercesJ 
XML parser to wait in an infinite loop, which may sometimes consume system 
resources for prolonged duration. This vulnerability is present within XercesJ 
version 2.12.1 and the previous versions.
    
    References
    https://nvd.nist.gov/vuln/detail/CVE-2022-23437
    https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl
    http://www.openwall.com/lists/oss-security/2022/01/24/3
    https://www.oracle.com/security-alerts/cpuapr2022.html
    
    ### Does this PR introduce _any_ user-facing change?
    No.
    
    ### How was this patch tested?
    Pass GA.
    
    Closes #36544 from bjornjorgensen/Upgrade-xerces-to-2.12.2.
    
    Authored-by: bjornjorgensen <bjornjorgen...@gmail.com>
    Signed-off-by: Sean Owen <sro...@gmail.com>
    (cherry picked from commit 181436bd990d3bdf178a33fa6489ad416f3e7f94)
    Signed-off-by: Sean Owen <sro...@gmail.com>
---
 dev/deps/spark-deps-hadoop-2.7-hive-2.3 | 2 +-
 pom.xml                                 | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/dev/deps/spark-deps-hadoop-2.7-hive-2.3 
b/dev/deps/spark-deps-hadoop-2.7-hive-2.3
index f586797d9e6..ac2a7b2f3f9 100644
--- a/dev/deps/spark-deps-hadoop-2.7-hive-2.3
+++ b/dev/deps/spark-deps-hadoop-2.7-hive-2.3
@@ -236,7 +236,7 @@ transaction-api/1.1//transaction-api-1.1.jar
 univocity-parsers/2.9.1//univocity-parsers-2.9.1.jar
 velocity/1.5//velocity-1.5.jar
 xbean-asm9-shaded/4.20//xbean-asm9-shaded-4.20.jar
-xercesImpl/2.12.0//xercesImpl-2.12.0.jar
+xercesImpl/2.12.2//xercesImpl-2.12.2.jar
 xml-apis/1.4.01//xml-apis-1.4.01.jar
 xmlenc/0.52//xmlenc-0.52.jar
 xz/1.8//xz-1.8.jar
diff --git a/pom.xml b/pom.xml
index ae9b881793f..b94ac3ce7d3 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1237,7 +1237,7 @@
       <dependency>
         <groupId>xerces</groupId>
         <artifactId>xercesImpl</artifactId>
-        <version>2.12.0</version>
+        <version>2.12.2</version>
       </dependency>
       <dependency>
         <groupId>org.apache.avro</groupId>


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@spark.apache.org
For additional commands, e-mail: commits-h...@spark.apache.org

Reply via email to