[
https://issues.apache.org/jira/browse/SPARK-13599?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15174231#comment-15174231
]
Steve Loughran commented on SPARK-13599:
----------------------------------------
It's related to a Groovy deserialization vulnerability,
[CVE-2015-3253|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3253].
It doesn't directly make spark vulnerable, but it means that the groovy classes
which contain the vulnerability are being bundled into spark-assembly.jar and
picked up in builds by things that depend in spark-hive.jar
So the fact that the groovy classes are in there is minor (16MB more of
download), but the fact it is known to be potentially insecure more of an issue.
> Groovy-all ends up in spark-assembly if hive profile set
> --------------------------------------------------------
>
> Key: SPARK-13599
> URL: https://issues.apache.org/jira/browse/SPARK-13599
> Project: Spark
> Issue Type: Improvement
> Components: Build
> Affects Versions: 1.5.0, 1.6.0
> Reporter: Steve Loughran
> Priority: Minor
>
> If you do a build with {{-Phive,hive-thriftserver}} then the contents of
> {{org.codehaus.groovy:groovy-all}} gets into the spark-assembly.jar
> This bad because
> * it makes the JAR bigger
> * it makes the build longer
> * it's an uber-JAR itself, so can include things (maybe even conflicting
> things)
> * It's something else that needs to be kept up to date security-wise
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
