[spark] branch branch-3.2 updated: [SPARK-37934][BUILD][3.2] Upgrade Jetty version to 9.4.44

[sarutak]

This is an automated email from the ASF dual-hosted git repository.

sarutak pushed a commit to branch branch-3.2
in repository https://gitbox.apache.org/repos/asf/spark.git


The following commit(s) were added to refs/heads/branch-3.2 by this push:
     new adba516  [SPARK-37934][BUILD][3.2] Upgrade Jetty version to 9.4.44
adba516 is described below

commit adba5165a56bd4e7a71fcad77c568c0cbc2e7f97
Author: Jack Richard Buggins <jackbugg...@hotmail.com>
AuthorDate: Wed Feb 9 02:28:03 2022 +0900

    [SPARK-37934][BUILD][3.2] Upgrade Jetty version to 9.4.44
    
    ### What changes were proposed in this pull request?
    
    This pull request updates provides a minor update to the Jetty version from 
`9.4.43.v20210629` to `9.4.44.v20210927` which is required against branch-3.2 
to fully resolve https://issues.apache.org/jira/browse/SPARK-37934
    
    ### Why are the changes needed?
    
    As discussed in https://github.com/apache/spark/pull/35338, DoS vector is 
available even within a private or restricted network. The below result is the 
output of a twistlock scan, which also detects this vulnerability.
    
    ```
    Source: https://github.com/eclipse/jetty.project/issues/6973
    CVE: PRISMA-2021-0182
    Sev.: medium
    Package Name: org.eclipse.jetty_jetty-server
    Package Ver.: 9.4.43.v20210629
    Status: fixed in 9.4.44
    Description: org.eclipse.jetty_jetty-server package versions before 9.4.44 
are vulnerable to DoS (Denial of Service). Logback-access calls 
Request.getParameterNames() for request logging. That will force a request body 
read (if it hasn't been read before) per the servlet. This will now consume 
resources to read the request body content, which could easily be malicious (in 
size? in keys? etc), even though the application intentionally didn't read the 
request body.
    ```
    
    ### Does this PR introduce _any_ user-facing change?
    
    No.
    
    ### How was this patch tested?
    
    * Core local
    ```
    $ build/sbt
    > project core
    > test
    ```
    * CI
    
    Closes #35442 from JackBuggins/branch-3.2.
    
    Authored-by: Jack Richard Buggins <jackbugg...@hotmail.com>
    Signed-off-by: Kousuke Saruta <saru...@oss.nttdata.com>
---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index bc3f925..8af3d6a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -138,7 +138,7 @@
     <derby.version>10.14.2.0</derby.version>
     <parquet.version>1.12.2</parquet.version>
     <orc.version>1.6.13</orc.version>
-    <jetty.version>9.4.43.v20210629</jetty.version>
+    <jetty.version>9.4.44.v20210927</jetty.version>
     <jakartaservlet.version>4.0.3</jakartaservlet.version>
     <chill.version>0.10.0</chill.version>
     <ivy.version>2.5.0</ivy.version>

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@spark.apache.org
For additional commands, e-mail: commits-h...@spark.apache.org