Andrew Kyle Purtell created SPARK-40685:
-------------------------------------------
Summary: Update kryo transitive dependency to 5.2.0 or later
Key: SPARK-40685
URL: https://issues.apache.org/jira/browse/SPARK-40685
Project: Spark
Issue Type: Bug
Components: Spark Core
Affects Versions: 3.3.0
Reporter: Andrew Kyle Purtell
Spark 3.3 currently ships with kryo-shaded-4.0.2.jar, subject to
[kryo#829|[https://github.com/EsotericSoftware/kryo/issues/829],] detected by
several flavors of static vulnerability assessment tools, as a medium scored
problem.
Kryo versions 5.2.0 or later have a fix for this issue.
{noformat}
[INFO] org.apache.spark:spark-unsafe_2.12:jar:3.3.2-SNAPSHOT
[INFO] +- com.twitter:chill_2.12:jar:0.10.0:compile
[INFO] | \- com.esotericsoftware:kryo-shaded:jar:4.0.2:compile
{noformat}
{noformat}
[INFO] org.apache.spark:spark-core_2.12:jar:3.3.2-SNAPSHOT
[INFO] +- com.twitter:chill_2.12:jar:0.10.0:compile
[INFO] | \- com.esotericsoftware:kryo-shaded:jar:4.0.2:compile
{noformat}
This issue is not meant to imply a security problem in Spark itself.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
