[spark] branch master updated: [SPARK-39725][BUILD] Upgrade `jetty-http` from 9.4.46.v20220331 to 9.4.48.v20220622

gurwls223 Fri, 08 Jul 2022 22:02:50 -0700

This is an automated email from the ASF dual-hosted git repository.

gurwls223 pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/spark.git



The following commit(s) were added to refs/heads/master by this push:
     new 13882bd7b80 [SPARK-39725][BUILD] Upgrade `jetty-http` from 
9.4.46.v20220331 to 9.4.48.v20220622
13882bd7b80 is described below

commit 13882bd7b80cd89fc4c58bd96a5ef783a0744019
Author: Bjørn Jørgensen <bjornjorgen...@gmail.com>
AuthorDate: Sat Jul 9 14:02:34 2022 +0900

    [SPARK-39725][BUILD] Upgrade `jetty-http` from 9.4.46.v20220331 to 
9.4.48.v20220622
    
    ### What changes were proposed in this pull request?
    Upgrade `jetty-http` from 9.4.46.v20220331 to 9.4.48.v20220622
    
    ### Why are the changes needed?
    [Release note](https://github.com/eclipse/jetty.project/releases)
    
    [CVE-2022-2047](https://nvd.nist.gov/vuln/detail/CVE-2022-2047)
    
    Info from Github dependabot
    
    ### Invalid URI parsing may produce invalid HttpURI.authority
    
    ### Description
    URI use within Jetty's `HttpURI` class can parse invalid URIs such as 
`http://localhost;/path` as having an authority with a host of `localhost;`.
    
    A URIs of the type `http://localhost;/path` should be interpreted to be 
either invalid or as `localhost;` to be the userinfo and no host.
    However, `HttpURI.host` returns `localhost;` which is definitely wrong.
    
    ### Impact
    This can lead to errors with Jetty's `HttpClient`, and Jetty's 
`ProxyServlet` / `AsyncProxyServlet` / `AsyncMiddleManServlet` wrongly 
interpreting an authority with no host as one with a host.
    
    ### Patches
    Patched in PR https://github.com/eclipse/jetty.project/pull/8146 for Jetty 
version 9.4.47.
    Patched in PR https://github.com/eclipse/jetty.project/pull/8015 for Jetty 
versions 10.0.10, and 11.0.10
    
    ### Workarounds
    None.
    
    ### For more information
    If you have any questions or comments about this advisory:
    
    Email us at [securitywebtide.com](mailto:securitywebtide.com)."
    
    ### Does this PR introduce _any_ user-facing change?
    No.
    
    ### How was this patch tested?
    Pass GA
    
    Closes #37142 from bjornjorgensen/jetty-http-9.4.48.v20220622.
    
    Lead-authored-by: Bjørn Jørgensen <bjornjorgen...@gmail.com>
    Co-authored-by: Bjorn Jorgensen <bjornjorgen...@gmail.com>
    Signed-off-by: Hyukjin Kwon <gurwls...@apache.org>
---
 dev/deps/spark-deps-hadoop-2-hive-2.3 | 2 +-
 dev/deps/spark-deps-hadoop-3-hive-2.3 | 4 ++--
 pom.xml                               | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/dev/deps/spark-deps-hadoop-2-hive-2.3 
b/dev/deps/spark-deps-hadoop-2-hive-2.3
index e3342935c18..a20a114b08e 100644
--- a/dev/deps/spark-deps-hadoop-2-hive-2.3
+++ b/dev/deps/spark-deps-hadoop-2-hive-2.3
@@ -145,7 +145,7 @@ jersey-hk2/2.35//jersey-hk2-2.35.jar
 jersey-server/2.35//jersey-server-2.35.jar
 jetty-sslengine/6.1.26//jetty-sslengine-6.1.26.jar
 jetty-util/6.1.26//jetty-util-6.1.26.jar
-jetty-util/9.4.46.v20220331//jetty-util-9.4.46.v20220331.jar
+jetty-util/9.4.48.v20220622//jetty-util-9.4.48.v20220622.jar
 jetty/6.1.26//jetty-6.1.26.jar
 jline/2.14.6//jline-2.14.6.jar
 joda-time/2.10.13//joda-time-2.10.13.jar
diff --git a/dev/deps/spark-deps-hadoop-3-hive-2.3 
b/dev/deps/spark-deps-hadoop-3-hive-2.3
index a2dfd894afc..ec60ac1c2f5 100644
--- a/dev/deps/spark-deps-hadoop-3-hive-2.3
+++ b/dev/deps/spark-deps-hadoop-3-hive-2.3
@@ -132,8 +132,8 @@ 
jersey-container-servlet/2.35//jersey-container-servlet-2.35.jar
 jersey-hk2/2.35//jersey-hk2-2.35.jar
 jersey-server/2.35//jersey-server-2.35.jar
 jettison/1.1//jettison-1.1.jar
-jetty-util-ajax/9.4.46.v20220331//jetty-util-ajax-9.4.46.v20220331.jar
-jetty-util/9.4.46.v20220331//jetty-util-9.4.46.v20220331.jar
+jetty-util-ajax/9.4.48.v20220622//jetty-util-ajax-9.4.48.v20220622.jar
+jetty-util/9.4.48.v20220622//jetty-util-9.4.48.v20220622.jar
 jline/2.14.6//jline-2.14.6.jar
 joda-time/2.10.13//joda-time-2.10.13.jar
 jodd-core/3.5.2//jodd-core-3.5.2.jar
diff --git a/pom.xml b/pom.xml
index 5465ca50e4a..fb9e202205f 100644
--- a/pom.xml
+++ b/pom.xml
@@ -133,7 +133,7 @@
     <derby.version>10.14.2.0</derby.version>
     <parquet.version>1.12.3</parquet.version>
     <orc.version>1.7.5</orc.version>
-    <jetty.version>9.4.46.v20220331</jetty.version>
+    <jetty.version>9.4.48.v20220622</jetty.version>
     <jakartaservlet.version>4.0.3</jakartaservlet.version>
     <chill.version>0.10.0</chill.version>
     <ivy.version>2.5.0</ivy.version>


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@spark.apache.org
For additional commands, e-mail: commits-h...@spark.apache.org

[spark] branch master updated: [SPARK-39725][BUILD] Upgrade `jetty-http` from 9.4.46.v20220331 to 9.4.48.v20220622

Reply via email to