[
https://issues.apache.org/jira/browse/SPARK-46267?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Laurenceau Julien updated SPARK-46267:
--------------------------------------
Summary: critical CVE vulnerability with a fix in Derby (was: critical
vunerability with a fix in Derby)
> critical CVE vulnerability with a fix in Derby
> ----------------------------------------------
>
> Key: SPARK-46267
> URL: https://issues.apache.org/jira/browse/SPARK-46267
> Project: Spark
> Issue Type: Dependency upgrade
> Components: Build
> Affects Versions: 3.4.1
> Environment: I know it is in spark 3.4.1 that is the last version
> released by canonical charmed spark.
> Since the fix was released on Nov 10 on derby side it probably affects all
> versions of spark.
> Reporter: Laurenceau Julien
> Priority: Major
> Labels: security
>
>
> It would be necessary to upgrade Derby dependency in order to solve a
> critical vulnerability that was fixed in the latest release of Derby in
> November:
> [https://db.apache.org/derby/releases/release-10_17_1_0.cgi]
> https://issues.apache.org/jira/browse/DERBY-7147?focusedCommentId=17799544&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-17799544
>
>
> The vuln:
> ```
> │ Library │ Vulnerability │ Severity │
> Status │ Installed Version │ Fixed Version │ Title
> │
> │ org.apache.derby:derby (derby-10.14.2.0.jar) │ CVE-2022-46337 │ CRITICAL │
> fixed │ 10.14.2.0 │ 10.17.1.0 │ A cleverly devised username
> might bypass LDAP authentication │
> ```
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
