[jira] [Commented] (SPARK-16751) Upgrade derby to 10.12.1.1 from 10.11.1.1

Wed, 27 Jul 2016 05:55:22 -0700 

    [ 
https://issues.apache.org/jira/browse/SPARK-16751?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15395617#comment-15395617
 ] 

Apache Spark commented on SPARK-16751:
--------------------------------------

User 'a-roberts' has created a pull request for this issue:
https://github.com/apache/spark/pull/14379

> Upgrade derby to 10.12.1.1 from 10.11.1.1
> -----------------------------------------
>
>                 Key: SPARK-16751
>                 URL: https://issues.apache.org/jira/browse/SPARK-16751
>             Project: Spark
>          Issue Type: Improvement
>          Components: Build
>    Affects Versions: 1.3.1, 1.4.1, 1.5.2, 1.6.2, 2.0.0
>         Environment: All platforms and major Spark releases
>            Reporter: Adam Roberts
>            Priority: Critical
>
> This JIRA is to upgrade the derby version from 10.11.1.1 to 10.12.1.1
> We only use derby for tests as far as myself and Sean Owen know, let's not 
> include it in the jars folder for Spark then.
> The upgrade is due to an already disclosed vulnerability (CVE-2015-1832) in 
> derby 10.11.1.1. We used https://www.versioneye.com/search and will be 
> checking for any other problems in a variety of libraries too: investigating 
> if we can set up a Jenkins job to check our pom on a regular basis so we can 
> stay ahead of the game for matters like this.
> This was raised on the mailing list at 
> http://apache-spark-developers-list.1001551.n3.nabble.com/VOTE-Release-Apache-Spark-2-0-0-RC5-tp18367p18465.html
>  by Stephen Hellberg and replied to by Sean Owen.
> I've checked the impact to previous Spark releases and this particular 
> version of derby is the only relatively recent and without vulnerabilities 
> version (I checked up to the 1.3 branch) so ideally we'd backport this for 
> all impacted Spark releases.
> I've marked this as critical and ticked the important checkbox as it's going 
> to impact every user, there isn't a security component (should we add one?) 
> and hence the build tag.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org

Reply via email to