[ https://issues.apache.org/jira/browse/SPARK-46267?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Laurenceau Julien updated SPARK-46267: -------------------------------------- Description: It would be necessary to upgrade Derby dependency in order to solve a critical vulnerability that was fixed in the latest release of Derby in November: [https://db.apache.org/derby/releases/release-10_17_1_0.cgi] https://issues.apache.org/jira/browse/DERBY-7147?focusedCommentId=17799544&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-17799544 The vuln: ``` │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ │ org.apache.derby:derby (derby-10.14.2.0.jar) │ CVE-2022-46337 │ CRITICAL │ fixed │ 10.14.2.0 │ 10.17.1.0 │ A cleverly devised username might bypass LDAP authentication │ ``` was: It would be necessary to upgrade Derby dependency in order to solve a critical vulnerability that was fixed in the latest release of Derby in November: [https://db.apache.org/derby/releases/release-10_17_1_0.cgi] The vuln: ``` │ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │ │ org.apache.derby:derby (derby-10.14.2.0.jar) │ CVE-2022-46337 │ CRITICAL │ fixed │ 10.14.2.0 │ 10.17.1.0 │ A cleverly devised username might bypass LDAP authentication │ ``` > critical vunerability with a fix in Derby > ----------------------------------------- > > Key: SPARK-46267 > URL: https://issues.apache.org/jira/browse/SPARK-46267 > Project: Spark > Issue Type: Dependency upgrade > Components: Build > Affects Versions: 3.4.1 > Environment: I know it is in spark 3.4.1 that is the last version > released by canonical charmed spark. > Since the fix was released on Nov 10 on derby side it probably affects all > versions of spark. > Reporter: Laurenceau Julien > Priority: Major > Labels: security > > > It would be necessary to upgrade Derby dependency in order to solve a > critical vulnerability that was fixed in the latest release of Derby in > November: > [https://db.apache.org/derby/releases/release-10_17_1_0.cgi] > https://issues.apache.org/jira/browse/DERBY-7147?focusedCommentId=17799544&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-17799544 > > > The vuln: > ``` > │ Library │ Vulnerability │ Severity │ > Status │ Installed Version │ Fixed Version │ Title > │ > │ org.apache.derby:derby (derby-10.14.2.0.jar) │ CVE-2022-46337 │ CRITICAL │ > fixed │ 10.14.2.0 │ 10.17.1.0 │ A cleverly devised username > might bypass LDAP authentication │ > ``` -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org