[jira] [Commented] (SPARK-16751) Upgrade derby to 10.12.1.1 from 10.11.1.1

Fri, 29 Jul 2016 06:18:39 -0700 

    [ 
https://issues.apache.org/jira/browse/SPARK-16751?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15399330#comment-15399330
 ] 

Apache Spark commented on SPARK-16751:
--------------------------------------

User 'srowen' has created a pull request for this issue:
https://github.com/apache/spark/pull/14403

> Upgrade derby to 10.12.1.1 from 10.11.1.1
> -----------------------------------------
>
>                 Key: SPARK-16751
>                 URL: https://issues.apache.org/jira/browse/SPARK-16751
>             Project: Spark
>          Issue Type: Bug
>          Components: Build
>    Affects Versions: 1.3.1, 1.4.1, 1.5.2, 1.6.2, 2.0.0
>         Environment: All platforms and major Spark releases
>            Reporter: Adam Roberts
>            Assignee: Adam Roberts
>             Fix For: 1.6.3, 2.0.1, 2.1.0
>
>
> This JIRA is to upgrade the derby version from 10.11.1.1 to 10.12.1.1
> Sean and I figured that we only use derby for tests and so the initial pull 
> request was to not include it in the jars folder for Spark. I now believe it 
> is required based on comments for the pull request and so this is only a 
> dependency upgrade.
> The upgrade is due to an already disclosed vulnerability (CVE-2015-1832) in 
> derby 10.11.1.1. We used https://www.versioneye.com/search and will be 
> checking for any other problems in a variety of libraries too: investigating 
> if we can set up a Jenkins job to check our pom on a regular basis so we can 
> stay ahead of the game for matters like this.
> This was raised on the mailing list at 
> http://apache-spark-developers-list.1001551.n3.nabble.com/VOTE-Release-Apache-Spark-2-0-0-RC5-tp18367p18465.html
>  by Stephen Hellberg and replied to by Sean Owen.
> I've checked the impact to previous Spark releases and this particular 
> version of derby is the only relatively recent and without vulnerabilities 
> version (I checked up to the 1.3 branch) so ideally we'd backport this for 
> all impacted Spark releases.
> I've marked this as critical and ticked the important checkbox as it's going 
> to impact every user, there isn't a security component (should we add one?) 
> and hence the build tag.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org

Reply via email to