[jira] [Commented] (SPARK-38262) Upgrade Google guava to version 30.0-jre
[ https://issues.apache.org/jira/browse/SPARK-38262?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17531723#comment-17531723 ] Bjørn Jørgensen commented on SPARK-38262: - [~pralabhkumar] have a look at this PR [36231|https://github.com/apache/spark/pull/36231] That [~dcoliversun] made. > Upgrade Google guava to version 30.0-jre > > > Key: SPARK-38262 > URL: https://issues.apache.org/jira/browse/SPARK-38262 > Project: Spark > Issue Type: Bug > Components: Build >Affects Versions: 3.3.0 >Reporter: Bjørn Jørgensen >Priority: Major > > This is duplicated many times like in > [SPARK-32502|https://issues.apache.org/jira/browse/SPARK-32502] > Apache Spark is using com.google.guava:guava version 14.0.1 which has two > security issues. > [CVE-2018-10237|https://nvd.nist.gov/vuln/detail/CVE-2018-10237] > [CVE-2020-8908|https://nvd.nist.gov/vuln/detail/CVE-2020-8908] > We should upgrade to [version > 30.0|https://mvnrepository.com/artifact/com.google.guava/guava/30.0-jre] > I will add some links to what I have found about this issue > [HIVE-25617:fix bug introduced by > CVE-2020-8908|https://github.com/apache/hive/pull/2725] > [Upgrade Guava to 27|https://github.com/apache/druid/pull/10683] > [HIVE-21961: Upgrade Hadoop to 3.1.4, Guava to 27.0-jre and Jetty to > 9.4.20.v20190813|https://github.com/apache/hive/pull/1821] > [Shade Guava manually|https://github.com/apache/druid/issues/6942] > [[DISCUSS] Hadoop 3, dropping support for Hadoop > 2.x|https://lists.apache.org/thread/zmc389trnkh6x444so8mdb2h0x0noqq4] -- This message was sent by Atlassian Jira (v8.20.7#820007) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Commented] (SPARK-38262) Upgrade Google guava to version 30.0-jre
[ https://issues.apache.org/jira/browse/SPARK-38262?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17531526#comment-17531526 ] pralabhkumar commented on SPARK-38262: -- [~bjornjorgensen] So QQ , as part of this PR , it is not upgraded to version 30.0 , because of issues on Hive and Hadoop side. * So is there any plan to fix [CVE-2020-8908|https://nvd.nist.gov/vuln/detail/CVE-2020-8908] * does this effect https://issues.apache.org/jira/browse/HADOOP-18036 any decision on Spark side > Upgrade Google guava to version 30.0-jre > > > Key: SPARK-38262 > URL: https://issues.apache.org/jira/browse/SPARK-38262 > Project: Spark > Issue Type: Bug > Components: Build >Affects Versions: 3.3.0 >Reporter: Bjørn Jørgensen >Priority: Major > > This is duplicated many times like in > [SPARK-32502|https://issues.apache.org/jira/browse/SPARK-32502] > Apache Spark is using com.google.guava:guava version 14.0.1 which has two > security issues. > [CVE-2018-10237|https://nvd.nist.gov/vuln/detail/CVE-2018-10237] > [CVE-2020-8908|https://nvd.nist.gov/vuln/detail/CVE-2020-8908] > We should upgrade to [version > 30.0|https://mvnrepository.com/artifact/com.google.guava/guava/30.0-jre] > I will add some links to what I have found about this issue > [HIVE-25617:fix bug introduced by > CVE-2020-8908|https://github.com/apache/hive/pull/2725] > [Upgrade Guava to 27|https://github.com/apache/druid/pull/10683] > [HIVE-21961: Upgrade Hadoop to 3.1.4, Guava to 27.0-jre and Jetty to > 9.4.20.v20190813|https://github.com/apache/hive/pull/1821] > [Shade Guava manually|https://github.com/apache/druid/issues/6942] > [[DISCUSS] Hadoop 3, dropping support for Hadoop > 2.x|https://lists.apache.org/thread/zmc389trnkh6x444so8mdb2h0x0noqq4] -- This message was sent by Atlassian Jira (v8.20.7#820007) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Commented] (SPARK-38262) Upgrade Google guava to version 30.0-jre
[ https://issues.apache.org/jira/browse/SPARK-38262?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17495220#comment-17495220 ] Apache Spark commented on SPARK-38262: -- User 'bjornjorgensen' has created a pull request for this issue: https://github.com/apache/spark/pull/35584 > Upgrade Google guava to version 30.0-jre > > > Key: SPARK-38262 > URL: https://issues.apache.org/jira/browse/SPARK-38262 > Project: Spark > Issue Type: Bug > Components: Build >Affects Versions: 3.3.0 >Reporter: Bjørn Jørgensen >Priority: Major > > Apache Spark is using com.google.guava:guava version 14.0.1 which has two > security issues. > [CVE-2018-10237|https://nvd.nist.gov/vuln/detail/CVE-2018-10237] > [CVE-2020-8908|https://nvd.nist.gov/vuln/detail/CVE-2020-8908] > We should upgrade to [version > 30.0|https://mvnrepository.com/artifact/com.google.guava/guava/30.0-jre] -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Commented] (SPARK-38262) Upgrade Google guava to version 30.0-jre
[ https://issues.apache.org/jira/browse/SPARK-38262?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17495219#comment-17495219 ] Apache Spark commented on SPARK-38262: -- User 'bjornjorgensen' has created a pull request for this issue: https://github.com/apache/spark/pull/35584 > Upgrade Google guava to version 30.0-jre > > > Key: SPARK-38262 > URL: https://issues.apache.org/jira/browse/SPARK-38262 > Project: Spark > Issue Type: Bug > Components: Build >Affects Versions: 3.3.0 >Reporter: Bjørn Jørgensen >Priority: Major > > Apache Spark is using com.google.guava:guava version 14.0.1 which has two > security issues. > [CVE-2018-10237|https://nvd.nist.gov/vuln/detail/CVE-2018-10237] > [CVE-2020-8908|https://nvd.nist.gov/vuln/detail/CVE-2020-8908] > We should upgrade to [version > 30.0|https://mvnrepository.com/artifact/com.google.guava/guava/30.0-jre] -- This message was sent by Atlassian Jira (v8.20.1#820001) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
