[
https://issues.apache.org/jira/browse/SPARK-39725?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17611248#comment-17611248
]
phoebe chen commented on SPARK-39725:
-------------------------------------
[~bjornjorgensen]
Thanks so much for your super fast response and detailed analysis.
For the jetty-io: 9.4.46 used by org.seleniumhq.selenium:htmlunit-driver, it
seems to be in test scope.
As a spark-core:3.3.0 jar user, it seems that this jetty-io 9.4.46 used in
htmlunit-driver won't bring impact.
The [PR37142|https://github.com/apache/spark/pull/37142] you made for this
issue should upgrade all jetty jars (including jetty-io) to a
vulnerability-free version and makes the spark-core.jar secure in terms of
CVE-2022-2047 and CVE-2022-2048.
Now this issue is set with "Fixed Version" to 3.4.0 which will happen in
February 2023, is it possible to include this
[PR37142|https://github.com/apache/spark/pull/37142] in 3.3.1 release (or any
release earlier than 3.4.0), so that the security fix can be applied earlier?
Thanks.
> Upgrade jetty-http from 9.4.46.v20220331 to 9.4.48.v20220622
> ------------------------------------------------------------
>
> Key: SPARK-39725
> URL: https://issues.apache.org/jira/browse/SPARK-39725
> Project: Spark
> Issue Type: Bug
> Components: Build
> Affects Versions: 3.4.0
> Reporter: Bjørn Jørgensen
> Assignee: Bjørn Jørgensen
> Priority: Major
> Fix For: 3.4.0
>
> Attachments: jetty-io-spark.png
>
>
> [Release note |https://github.com/eclipse/jetty.project/releases]
> [CVE-2022-2047|https://nvd.nist.gov/vuln/detail/CVE-2022-2047]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
