You could comment on https://issues.apache.org/jira/browse/SPARK-35550 which covered the updated to Jackson 2.12.3. If there's a decent case for backporting and it doesn't have major compatibility issues, we can do it.
Then if you have time, try back-porting the patch to branch-3.1 and run tests. (Or just open the pull request against branch-3.1 and let tests figure it out). If it passes that's pretty good evidence it's OK. Or get as far as you can on that and I/we can help backport. Here were previous comments on compatibility: https://github.com/apache/spark/pull/32688 3.2 will be Scala 2.12 and possibly experimentally 2.13, but not Scala 2.13 only. On Mon, Jun 21, 2021 at 6:41 PM Eric Richardson <ekrichard...@gmail.com> wrote: > Thanks for the quick reply. Yes, since it is included in the jars then it > is unclear whether it is used internally at least to me. > > I can substitute the jar in the distro to avoid the scanner from finding > it but then it is unclear whether I could be breaking something or not. > Given that 3.1.2 is the latest release, I guess you might expect that it > would pass the scanners but I am not sure if that version spans 3.0.x and > 3.1.x or not either. > > I can report findings in an issue where I am pretty darn sure it is a > valid vulnerability if that is ok? That at least would raise the > visibility. > > Will 3.2.x be Scala 2.13.x only or cross compiled with 2.12? > > I realize Spark is a beast so I just want to help if I can but also not > create extra work if it is not useful for me or the Spark team/contributors. > > On Mon, Jun 21, 2021 at 3:43 PM Sean Owen <sro...@gmail.com> wrote: > >> Whether it matters really depends on whether the CVE affects Spark. >> Sometimes it clearly could and so we'd try to back-port dependency updates >> to active branches. >> Sometimes it clearly doesn't and hey sometimes the dependency is updated >> anyway for good measure (mostly to keep this off static analyzer reports) >> but probably wouldn't backport. >> >> Jackson has been a persistent one but in this case Spark is already on >> 2.12.x in master, and it wasn't clear last time I looked at those CVEs that >> they can affect Spark itself. End user apps perhaps, but those apps can >> supply their own Jackson. >> >> If someone had a legit view that this is potentially more serious I think >> we could _probably backport that update, but Jackson can be a little bit >> tricky with compatibility IIRC so would just bear some testing. >> >> >> On Mon, Jun 21, 2021 at 5:27 PM Eric Richardson <ekrichard...@gmail.com> >> wrote: >> >>> Hi, >>> >>> I am working with Spark 3.1.2 and getting several vulnerabilities >>> popping up. I am wondering if the Spark distros are scanned etc. and how >>> people resolve these. >>> >>> For example. I am finding - >>> https://nvd.nist.gov/vuln/detail/CVE-2020-25649 >>> >>> This looks like it is fixed in 2.11.0 - >>> https://github.com/FasterXML/jackson-databind/issues/2589 - but Spark >>> supplies 2.10.0. >>> >>> Thanks, >>> Eric >>> >>
